Documents
Product Categories
SAP Security Patch Management
Product Categories
SAP Security Patch Management
SAP Security Patch Management
Jun 28, 2024 No RFC (3, H) Connection to the SAP Management of Change system
(ABAP/3- and HTTP/H-Connection)
No RFC Connection to the Occupational Health application of
SAP EHS Management as part of the SAP ERP system
No RFC Connection to the Extended Warehouse Management
system
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 63Note
EHS does not provide any authorizations for:
● SAP Management of Change
● Occupational Health of SAP EHS Management as part of SAP ERP
For detailed information about communication destinations, see Customizing for Environment, Health, and Safety
under Foundation for EHS Integration Specify Destinations for Integration .
13.1.2.2 ICF Security in Environment, Health, and Safety
To use an app in Environment, Health, and Safety, you have to activate the internet communication framework
(ICF) service that is needed for this app.
For general information, see ICF Security [page 19] in the Introduction section.
Incident Management
To use Incident Management apps, proceed as follows:
● In your front-end system, open transaction SICF. Under /default_host/sap/bc/ui5_ui5/sap/, activate
the following UI5 services:
○ repincidents1 (Report Incident)
○ injillanalyss1 (Injuries and Illnesses - Detailed Analysis)
○ incdntanalyss1 (Incidents - Detailed Analysis)
● In your back-end system, open transaction SICF. Under /default_host/sap/bc/webdynpro/sap/,
activate all Web Dynpro services that start with ehhss and ehfnd.
Health and Safety Management
To use Health and Safety Management apps, proceed as follows:
● In your front-end system, open transaction SICF. Under /default_host/sap/bc/ui5_ui5/sap/, activate
the following UI5 services:
○ /sap/bc/ui5_ui5/sap/sbrt_appss1 (Approved Chemicals, Risk Overview)
○ /sap/bc/ui5_ui5/sap/ehschm_reps1 (Chemical Risk Report)
○ /sap/bc/ui5_ui5/sap/ehschm_achs1 (Monitor Approved Chemicals)
○ /sap/bc/ui5_ui5/sap/ehscha_mycs1 (My Chemical Approvals)
○ /sap/bc/ui5_ui5/sap/ehsrisk_lsts1 (Monitor Risks)
○ /sap/bc/ui5_ui5/sap/ehsras_lsts1 (My Risk Assessment Projects)
● In your back-end system, open transaction SICF. Under /default_host/sap/bc/webdynpro/sap/,
activate all Web Dynpro services that start with ehhss and ehfnd.
Security Guide for SAP S/4HANA 1709
64 P U B L I C SAP S/4HANA Business ApplicationsEnvironment Management
To use Environment Management apps, proceed as follows:
● In your back-end system, open transaction SICF. Under /default_host/sap/bc/webdynpro/sap/,
activate all Web Dynpro services that start with ehenv and ehfnd.
13.1.2.3 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
In Environment, Health, and Safety (EHS), the XML export for Incident Management saves data in files in the file
system. Therefore, it is important to explicitly provide access to the corresponding files in the file system without
allowing access to other directories or files (also known as directory traversal). This is achieved by specifying
logical paths and file names in the system that map to the physical paths and file names. This mapping is validated
at runtime and if access is requested to a directory that does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by EHS and for which programs these file names
and paths apply:
Logical File Names Used
The following logical file name has been created in order to enable the validation of physical file names:
● EHHSS_INCIDENTS_XML
○ Program R_EHHSS_ALL_INC_TO_XML is using this logical file name and parameters used in this context.
Logical Path Names Used
The logical file names listed above all use the logical file path EHHSS_BO_XML_EXPORT_PATH.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information on data storage security, see the respective chapter in the SAP NetWeaver Security Guide.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 6513.1.2.4 Data Protection
Data protection is very important in the following examples:
● In the incident management process, you have critical person-related information regarding absences or
injuries.
● In the health and safety management process, personal data about the risk assessment lead and the other
persons involved in a risk assessment are displayed.
● In the environment management process, data about persons assigned to, compliance scenarios, and
persons involved in tasks of category Action, is displayed.
Environment, Health, and Safety (EHS) assumes that agreements for storage of personal data are covered in
individual work contracts. This also applies to notifications on initial data storage.
For more generic information, see Data Protection [page 27] in the Introduction section.
13.1.2.4.1 Deletion of Personal Data
Use
The Environment, Health, and Safety (EHS) component might process data (personal data) that is subject to the
data protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data in EHS.
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at http://
help.sap.com/s4hana_op_1709 under Product Assistance Cross Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
The following tables list the relevant application objects and the available deletion functionality for Incident
Management, Health and Safety Management, and Environment Management.
Application Objects and Available Deletion Functionality in Incident Management
Table 31:
Application Objects Provided Deletion Functionality
Incidents Archiving object EHHSS_INC
Incident Summary Reports Archiving object EHHSS_ISR
For more information about application objects and deletion functionality, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance
Enterprise Business Applications Asset Management Environment, Health, and Safety Incident
Management (EHS-SUS-IM) Data Archiving in Incident Management .
Security Guide for SAP S/4HANA 1709
66 P U B L I C SAP S/4HANA Business ApplicationsApplication Objects and Available Deletion Functionality in Health and Safety Management
Table 32:
Application Objects Provided Deletion Functionality
Risk Revisions Archiving object EHHSS_RSV
Risks Archiving object EHHSS_RSK
Risk Assessments Archiving object EHHSS_RAS
Safety Instructions Archiving object EHHSS_SI
Control Evaluations Archiving object EHHSS_CEVL
Control Inspections Archiving object EHHSS_CINS
Control Replacements Archiving object EHHSS_CRPL
Sampling Campaigns Archiving object EHHSS_SPLC
Samplings Archiving object EHFND_SPLG
Chemical Approvals Archiving object EHFND_CHA
Assignment of Person to Locations Archiving object EHFND_LOCP
Assignment of Person to Jobs Archiving object EHFND_JOBP
Sampled Person Data destruction object EHFND_SPLNG_SAMPLED_PERSON
For more information about application objects and deletion functionality, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance
Enterprise Business Applications Asset Management Environment, Health, and Safety Health and Safety
Management (EHS-SUS-HS) Technical Solution Information . You can find the information under the following
nodes:
● Data Archiving in Health and Safety Management
● Data Destruction in Health an Safety Management
Application Objects and Available Deletion Functionality in Environmental Management
Table 33:
Application Objects Provided Deletion Functionality
Compliance Scenario Actions Archiving object EHENV_SAC
For more information about application objects and deletion functionality, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance
Enterprise Business Applications Asset Management Environment, Health, and Safety Environment
Management (EHS-SUS-EM) Data Archiving in Environment Management .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 67Relevant Applications and Available End of Purpose Checks
In addition to destroying data used for incident management, health and safety management, or environment
management processes, EHS provides end of purpose checks (EoP) for central business partners. These checks
determine whether dependent data for a certain central business partner is still relevant for business activities in
EHS.
The following table lists the registered applications and the function module used for the end of purpose checks in
EHS.
Table 34:
Application End of Purpose Check Further Information
Incident Management (EHS_INC) EHHSS_INC_EOP_CHECK_BP The check determines whether the busi
ness partner is used in:
● Incidents
● Tasks in incidents
Health and Safety (EHS_HS) EHHSS_HS_EOP_CHECK_BP The check determines whether the busi
ness partner is used in:
● Risk assessment projects
● Tasks in risk assessment projects
● Risks
● Control inspections
● Control evaluations
● Control replacements
Health and Safety (EHS_HS_EXPOSURE) EHHSS_EXP_EOP_CHECK_BP The check determines whether the busi
ness partner is assigned to:
● Job positions
● Location positions
● Samplings as sampled person
Environment Management (EHS_ENV) EHENV_EOP_CHECK_BP The check determines whether the busi
ness partner is used in tasks of category
Action.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing
under Cross-Application Components Data Protection Blocking and Unblocking of Data Business
Partner .
Security Guide for SAP S/4HANA 1709
68 P U B L I C SAP S/4HANA Business Applications13.1.2.4.2 Read Access Logging of Personal Data in Incident
Management
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions.
SAP delivers sample configurations for applications.
Incident Management logs data of illnesses or injuries that are maintained in the Edit Incident screen (web dynpro
application EHHSS_INC_REC_OIF_V3). Since this information is potentially sensitive and access to this
information is in some cases legally regulated, you can use RAL to log the date when the data was accessed and
by whom.
In the following configurations, the following fields are logged:
Table 35:
Configuration Fields Logged Business Context
Involved Person - Basic Information Logs basic information of the person
● Injured Person Name who is involved in the incident.
● Phone Number
● Email
Role(s)
Incident Type
Privacy Case
Injured on Site
Injured on Duty
Additional Criteria
Fatality
Location of Death
Cause of Death
Statement of Involved Person
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 69Configuration Fields Logged Business Context
Involved Person - Injury-Illness Informa Logs information on the injuries or the ill
tion ● Injured Person Name ness of the person who is involved in the
incident.
● Phone Number
● Email
Classification
Injury/Illness Type
Injury/Illness Description
Body Part
Body Part Description
Body Side
Involved Person - Treatment Information Logs information on the treatment of the
● Injured Person Name person who is involved in the incident.
● Phone Number
● Email
First Physician
Further Treatment Provider
Treatment Beyond First Aid
Emergency Room
Inpatient Overnight
Unconsciousness
Immediate Resuscitation
Comment
To First Aid
To Further Treatment
Involved Person - Reports and Docu Logs the files of reports and documents
ments ● Injured Person Name that are assigned to the involved person.
● Phone Number
● Email
File Name (of report forms)
File Name (of documents)
Security Guide for SAP S/4HANA 1709
70 P U B L I C SAP S/4HANA Business ApplicationsConfiguration Fields Logged Business Context
Incident - Reports and Documents File Name (of report forms) Logs the files of reports and documents
that are assigned to the incident.
Reference (Report forms of person refer
ences)
File Name (of documents)
Reference (documents of person refer
ences)
Further Information
You can find the configurations as described in the Read Access Logging [page 29] chapter.
13.1.2.5 Virus Scanning
The interactive forms of Environment, Health, and Safety (EHS) can contain Java Script. Therefore, Java Script
must be enabled in Adobe Acrobat Reader. In addition, e-mails with PDF attachments that contain Java Script
must not be filtered out in the e-mail inbound and outbound process.
For more generic information see Virus Scanning [page 21] in the Introduction section.
13.1.2.6 Other Security-Relevant Information
The following information is relevant for the security of Environment, Health, and Safety (EHS).
13.1.2.6.1 Dispensable Functions with Impacts on Security
Environment, Health, and Safety (EHS) can be integrated with HR Time Management in Customizing. If the
personnel time management (PT) integration is activated, time data (including absences) from HR is displayed in
the incident. An additional option is available to trigger the creation HR Absences from the incident. For all
actions, HR authorizations are checked.
13.1.2.6.2 Security Settings for the Report Incident App
You use the SAP Cloud Platform, mobile service for SAP Fiori to implement the app Report Incident. For more
information on the security settings of the SAP Cloud Platform, mobile service for SAP Fiori, see the SAP Help
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 71Portal at https://help.sap.com . There, search for SAP Cloud Platform, mobile service for SAP
Fiori User Guide.
13.1.3 Resource Scheduling
13.1.3.1 Authorizations for Resource Scheduling
SAP S/4HANA Asset Management for resource scheduling uses the authorization concept provided by SAP
NetWeaver AS for ABAP. Therefore, the recommendations and guidelines for authorizations as described in the
SAP NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
SAP delivers a standard business role. You can use this role as a template for creating your own role in the front-
end system.
Table 36:
Role Description
SAP_BR_MAINTENANCE_PLANNER_RSH Maintenance Planner - Resource Scheduling
Please note that this business role must be created in the
front-end system.
SAP does not deliver a back-end role for resource scheduling. You must create your own role in the back-end
system using transaction PFCG. To this role, you must assign the relevant authorization objects.
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used. Please make sure that
authorizations for app users (maintenance planners) are configured according to their role and responsibilities.
Security Guide for SAP S/4HANA 1709
72 P U B L I C SAP S/4HANA Business ApplicationsTable 37:
Authorization Object Description
I_TCODE PM: Transaction Code
This authorization object determines which transactions a
user may perform in the PM area.
Note
Make sure that app users are authorized for transaction
IW38.
I_AUART PM: Order Type
This authorization allows you to control which users have ac
cess to orders and historical orders in a particular plant.
I_BEGRP PM: Authorization Group
You can use this authorization object to control which groups
of master data a user can display, create or change.
I_IWERK PM: Maintenance Planning Plant
Using this authorization object, you can control which users
may edit PM data with which transactions in the planning
plants.
I_INGRP PM: Maintenance Planner Group
You can use this authorization to control which users can dis
play, change or create objects associated with a particular
maintenance planner group.
I_SWERK PM: Maintenance Plant
Using this authorization object, you can control which users
may edit PM data with which transactions in the maintenance
plants.
I_KOSTL PM: Cost Centers
You can use this authorization to control which users can dis
play, change or create objects associated with a particular
cost center.
C_ARPL_ART CIM: Work center category
With this authorization object, you can limit the authorization
to create, change and display work centers depending on the
work center category.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 73Authorization Object Description
C_ARPL_WRK CIM: Work center- plant
With this authorization object, you can restrict:
● The maintenance of work centers/resources, work cen
ter/resourcer hierarchies, and capacities to certain ac
tions (e.g. change or display) in certain plants
● The maintenance of downtimes, independent of plant
C_AFKO_ACT Activities on network header level
Using this authorization object, you control the maintenance
of data for the network header and possible actions at the
header level.
C_AFKO_AWK CIM: Plant for order type of order
This authorization object can be used to limit the maintenance
of production orders with respect to order type and plant.
C_AFKO_DIS Network: MRP Group (Plant) and Transaction Type
With this authorization object, you can limit the maintenance
of networks with regard to MRP controller and plant.
C_AFVG_APL PS: Work Center for Network Activities and Activity Elements
You can use this authorization object to control who can ac
cess activities and activity elements the Project System de
pending on the work center.
C_AFVG_TYP PS: Activity types for network act. and activity elements
You can use this authorization object to control who can ac
cess activities and activity elements in the Project System de
pending on the activity category.
C_TCLA_BKA Authorization for Class Types
This authorization defines access to classes via the class type.
It is checked in all functions that use the classification system
to classify objects or maintain classes
I_QMEL PM/QM: Notification Types
You can use this authorization to control which users can ac
cess notifications of a particular notification type.
Security Guide for SAP S/4HANA 1709
74 P U B L I C SAP S/4HANA Business Applications13.2 Commerce
13.2.1 Commerce Management
13.2.1.1 Convergent Invoicing, Receivables Mngmt and
Payment Handling
The following section provides an overview of the security-relevant information that applies to Convergent
Invoicing and Receivable Management and Payment Handling as part of Contract Accounts Receivable and
Payable (FI-CA).
13.2.1.1.1 Authorizations
Business Roles
The following business roles are provided:
● SAP_BR_APR_MANAGER_FICA (Accounts Payable and Receivable Manager (FI-CA))
● SAP_BR_APR_ACCOUNTANT_FICA (Accounts Payable and Receivable Accountant (FI-CA))
● SAP_BR_INVOICING_SPEC_CINV (Invoicing Specialist (Convergent Invoicing))
● SAP_BR_INVOICING_MANAGER_CINV (Description: Invoicing Manager (Convergent Invoicing))
Standard Authorization Objects
You can easily recognize the authorization objects currently used in Contract Accounts Receivable and Payable
(FI-CA) from their technical name as follows:
1. In the SAP Easy Access menu choose Tools Administration User Maintenance Information System
Authorization Objects By object name .
2. Enter F_KK* in the Authorization Object field and execute your search.
In the result list, you can display the details for each selected authorization object such as authorization fields,
documentation and permitted activities, if defined.
In addition, for the Clarification Processing area, the authorization object S_CFC_AUTH exists; for the
Correspondence area, the authorization object P_CORR; and for prepaid processing, authorization objects exist
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 75that follow the naming convention F_PREP*. You can use Customizing roles to control access to the configuration
of Contract Accounts Receivable and Payable (FI-CA) in the SAP Customizing Implementation Guide (IMG).
13.2.1.1.2 Data Storage Security
Contract Accounts Receivable and Payable (FI-CA) saves data in files in the file system. Therefore, it is important
to explicitly provide access to the corresponding files in the file system without allowing access to other
directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names
in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
The following list shows the logical file names and paths used by Contract Accounts Receivable and Payable (FI-
CA) and for which programs these file names and paths apply:
Logical File Names Used in FI-CA and Logical Path Names
The following logical file names have been created in order to enable the validation of physical file names:
Table 38:
Program Logical File Name Used by the Pro Logical Path Name Used by the Pro
gram gram
RFKIBI_FILE00 FICA_DATA_TRANSFER_DIR FICA_DATA_TRANSFER_DIR
RFKIBI_FILEP01
RFKKBI_FILEEDIT
RFKKBIBG
RFKKZEDG
RFKKRLDG
RFKKCMDG
RFKKCRDG
RFKKAVDG
RFKKBIB0
RFKKZE00
RFKKRL00
RFKKCM00
Security Guide for SAP S/4HANA 1709
76 P U B L I C SAP S/4HANA Business ApplicationsRFKKCR00
RFKKAV00
RFKKKA00
RFKKBIT0
RFKKPCSF FI-CA-CARD-DATA-S FI-CA-CARD-DATA-S
RFKKPCDS
RFKKCVSPAY FI-CA-CVS FI-CA-CVS
RFKK_CVSPAY_CONFIRM
RFKKCVSCONFIRMDB
RFKK_CVSPAY_CONFIRM_TEST
RFKK_DOC_EXTR_EXP FI-CA-DOC-EXTRACT-DIR FI-CA-DOC-EXTRACT-DIR
RFKK_DOC_EXTR_AEXP
RFKK_DOC_EXTR_IMP
RFKK_DOC_EXTR_EXTR
RFKK_DOC_EXTR
RFKK_DOC_EXTR_DEL
Class CL_FKK_TEXT_FILE
RFKKBIXBITUPLOAD FI-CA-BI-SAMPLE FI-CA-BI-SAMPLE-DIR
FI-CA-BI-SAMPLE-DIR
RFKKCOL2 FI-CA-COL-SUB FI-CA-COL-SUB
RFKKCOLL
Transaction FP03DM (Mass Activity)
Transaction FPCI (Mass Activity) FI-CA-COL-INFO FI-CA-COL-INFO
RFKKCOPM FI-CA-COL-READ FI-CA-COL-READ
READFILE
RFKKCOPG FI-CA-COL-TEST FI-CA-COL-TEST
RFKKRDI_REPORT FI-CA-RDI FI-CA-RDI
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 77RFKKRDI_REPORT_DIS
SAPFKPY3 FI-CA-DTA-NAME FI-CA-DTA-NAME
RFKKCHK01 FI-CA-CHECKS-EXTRACT FI-CA-CHECKS-EXTRACT
Class CL_FKK_INFCO_SEND FI-CA-INFCO FI-CA-INFCO
RFKKBE_SAL1 FICA_BE_SAL FICA_BE_SAL
RFKKBE_SAL2 FICA_BE_SAL_XML FICA_BE_SAL_XML
RFKK1099 FI-CA-1099 FI-CA-1099
RFKKOP03 FICA_OPEN_ITEMS FICA_OPEN_ITEMS
RFKKOP04
RFKKOP07
RFKKES_SAL1 FICA_TAX_REP_GEN FICA_TAX_REP_GEN
RFKKES_SAL2
RFKKRDI_REPORT FI-CA-RDI FI-CA-RDI
RFKKRDI_REPORT_DIS
Transaction EMIGALL ISMW_FILE ISMW_ROOT
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information about data storage security, see the chapter in the SAP NetWeaver Security Guide.
13.2.1.1.3 Data Protection
Contract Accounts Receivable and Payable (FI-CA) might process data (personal data) that is subject to the data
protection laws applicable in specific countries.
Contract Accounts Receivable and Payable (FI-CA) uses SAP ILM to support the deletion of personal data as
described in the following sections. SAP delivers end of purpose checks for Contract Accounts Receivable and
Payable (FI-CA). You register the end of purpose check (EoP) in the Customizing settings for the blocking and
deletion of the business partner.
Security Guide for SAP S/4HANA 1709
78 P U B L I C SAP S/4HANA Business ApplicationsFor information about the Customizing of blocking and deletion for Contract Accounts Receivable and Payable,
see Configuration: Simplified Blocking and Deletion below. Displaying Blocked Data.
Also, see the sections mentioned below in the Product Assistance of Contract Accounts Receivable and Payable
under Basic Functions SAP Business Partner Blocking and Deleting Personal Data .
Display of Blocked Data
Only if a user has special authorization, is it possible to display blocked business partner master data. However, it
is still not possible to create, change, copy, or perform follow-up activities on this blocked business partner data.
However, FI-CA-specific data relating to a blocked business partner (as for example the contract account) users
can display without having special authorization. For more information, see Displaying Personal Data.
Relevant Application Objects and Available Deletion Functionality
For more information, see the following sections of the application documentation:
● Blocking and Deleting Personal Data
● Deleting Business Partners
● Dealing with Personal Data Outside the Business Partner
Relevant Application Objects and Available EoP functionality
For more information, see section Check for End of Purpose in Contract Accounts Receivable and Payable.
Process Flow
Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM. You choose whether data deletion is required for data stored in archive files or data stored in
the database, also depending on the type of deletion functionality available. You do the following:
1. Run transaction IRMPOL and maintain the required residence and retention policies for the central business
partner (ILM object: CA_BUPA).
2. Run transaction FPDPR_BP_INIT once for existing business partners for which you want to execute the end
of purpose checks. New business partners you create are automatically included in the end of purpose
checks.
3. Run transaction FPDPR1 to prepare the end of purpose check of the central business partner.
The function module MKK_BUPA_EOP_CHECK saved for Contract Accounts Receivable and Payable (FI-CA) in
table BUTEOPFM provides the EoP check result obtained by transaction FPDPR1 to transaction
BUPA_PRE_EOP.
4. Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business partner.
Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP.
You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of Contract Accounts Receivable
and Payable (FI-CA).
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
Define the settings for authorization management under Authorization Management. For more information, see
the Customizing documentation.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 79Define the settings for blocking under Blocking and Unblocking Business Partner . For more information, see the
Customizing documentation.
You configure the settings specific for Contract Accounts Receivable and Payable in the Customizing for Contract
Accounts Receivable and Payable under Technical Settings Data Protection and Data Deletion. For more
information, see the Customizing documentation.
13.2.1.1.4 Payment Card Security According to PCI-DSS
Note
The Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card
companies in order to create a set of common industry security requirements for the protection of cardholder
data. Compliance with this standard is relevant for companies processing credit card data. For more
information, see http://www.pcisecuritystandards.org .
The following sections of the security guide support you in implementing payment card security aspects and
outline steps that need to be considered to be compliant with the PCI-DSS.
Please note that the PCI-DSS covers more than the steps and considerations given here. Complying with the
PCI-DSS lies completely within the customer''s responsibility, and we cannot guarantee the customer''s
compliance with the PCI-DSS.
For current information about PCI-DSS in general, see SAP Note 1609917 .
Contract Accounts Receivable and Payable (FI-CA) processes all payment transactions with your business
partners. For this purpose, Contract Accounts Receivable and Payable also processes credit card data. For
processing credit card transactions, Contract Accounts Receivable and Payable follows the rules laid down by the
Payment Card Industry Data Security Standard.
Credit card data arrives in Contract Accounts Receivable in the following ways:
● You receive documents, which already contain credit card data in their supplements, by means of the IDoc
interface or by means of BAPIs.
● You receive payments that already contain credit card data with the payment lot transfer program
(RFKKZE00).
● External payment collectors and external cash desk services transfer credit card data using enterprise
services with the payment to Contract Accounts Receivable and Payable.
● Financial Customer Care transfers credit card data for documents from SAP Customer Relationship
Management using RFC.
● Customers or your employees add credit card data as follows:
○ Employees enter credit card data in the master records of business partners and prepaid accounts.
○ Employees enter payment card data in the Maintain Bank Data (FPP4) transaction.
○ Employees enter credit card data for payments in the cash desk, in the cash journal, in payment
specifications and in promises to pay.
○ Customers enter credit card data online in SAP Biller Direct. SAP Biller Direct transfers the data to
Contract Accounts Receivable and Payable.
● You adopt billable items with payment information using the generated RFC interfaces /1FE/_BIT_CREATE_API.
Security Guide for SAP S/4HANA 1709
80 P U B L I C SAP S/4HANA Business Applications● You create EDRs of the type AMOUNT using function module FKKBI_EDR_AMOUNT_CREATE.
The program for payment (such as the payment run or the cash desk) generates payment documents with
supplements containing the credit card data. Contract Accounts Receivable and Payable transfers this credit card
data to the payment card company or the clearing house using transaction FPPCDS (creation of file) or FPCS
(online transfer).
Contract Accounts Receivable and Payable stores the data as follows:
Table 39:
Object Table(s)
Business Partner Master Record BUT0CC
CCARD
Payments in Payment Lot or Credit Card Lot DFKKZP
Document DFKKOPC
DFKKOPKC
DFKK_PCARD
Payment Data for a Payment Run DPAYH
Payment Data for a Payment Using SAP Biller Direct or Finan DFKKOPC
cial Customer Care
Payment Specifications DFKKIP_GRP
Promises to Pay DFKKPPD_PAY
Master Record of Prepaid Account FKKPREPACC
Billable Items Generated tables:
● /1FE/00PY
● /1FE/01PY
You must restrict the display of the necessary objects by assigning authorizations, while at the same time
ensuring that this authorization protection cannot be circumvented by database programs or customer-specific
ABAP reports.
You can also make additional security settings for payment card data. For more information, see SAP Note
1032588 and the SAP S/4HANA Security Guide for “Payment Card Security”.
Archiving
Only masked credit card information can be archived. Clear text credit card information should not be archived.
Archiving encrypted credit card information is problematic because archived data should not be changed.
Encrypted credit card information has to be re-encrypted with a different key, for example, with key rotation, as
required by PCI-DSS. This change of data is not possible in an archive.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 81In technologies that are agnostic to the semantics of the data, such as Process Integration (PI), ABAP Web
Services, or Forward Error Handling (FEH), archiving has to be disabled. IDocs that contain credit card
information should not be archived.
Interfaces (IDoc/Services)
Caution
According to PCI-DSS, IDoc segments are not allowed to store payment card numbers in clear text. However,
during processing of an IDoc in the IDoc Framework, all values are stored temporarily, including the clear text
credit card number. For more information about how to process your own IDocs containing credit card
information, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and
Interoperability Technologies Security Guide ALE (ALE Applications) in SAP NetWeaver Release 7.30 .
If you exchange data between systems using IDoc messages, and this data contains unencrypted credit card
information, you have to implement access restrictions and a deletion concept at the level of the file system.
Contract Accounts Receivable and Payable processes payment card data in the following interfaces:
Table 40:
Type of Interface Technical Name Description
BAPI BAPI_CTRACPREPAIDACCOUNT_CREA BAPI - FI-CA Prepaid Account: Create
BAPI BAPI_CTRACPREPAIDACCOUNT_CHNG BAPI - FI-CA Prepaid Account: Change
BAPI BAPI_CTRACPREPAIDACCOUNT_GETD BAPI - FI-CA Prepaid Account: Read
Detail Data
BAPI BAPI_CTRACDOCUMENT_CREATE BAPI: FI-CA Post Document
RFC FKK_PREP_PCARD_STORE Prepaid: Store Payment Data in
DFKK_PCARD
RFC Event 1421 (function module Parallel Billing: Call Settlement
FKK_SAMPLE_1421)
RFC FKK_BUPA_MAINTAIN_SINGLE Maintain Business Partner
RFC /1FE/ IDoc:
ALE_CTRACDOCUMENT_CREATE(FI-CA
Post document)
RFC Debugging
Caution
Disable RFC debugging when you process credit card information in a productive system. Do not activate the
Set RFC Trace option in your productive system. If this option is active, the system saves all input data of an
RFC call in clear text to a file. If credit card numbers (PAN) are included in calls to some function module, then
this data would be stored to this file. Since these numbers have to be stored encrypted according to the PCI-
DSS standard, activating this option would result in no longer being PCI compliant.
Forward Error Handling (FEH)
Caution
Disable Forward Error Handling for all services that contain credit card numbers in SAP Customizing.
Card Verification Values (CVV)
Caution
Do not process asynchronous services that contain a card verification code (CAV2, CID, CVC2, CVV2) or their
values.
Please note that in SAP services, these values correspond to the GDT
PaymentCardVerificationValueText. The reason is that the payload of asynchronous services is
persisted in the database until the service is processed and persisting card verification values is not allowed
according to PCI-DSS.
Synchronous services can be processed because their payload is not persisted.
13.2.1.1.5 Other Security-Relevant Information
In Contract Accounts Receivable and Payable (FI-CA), some objects and special activities are protected by special
authorizations. The associated authorization object is F_KK_SOND. See table TFKAUTH (use transaction SM30 to
display) for information on all activities that you can protect with this authorization object.
13.3 Finance
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 8313.3.1 Financial Accounting
Network and Communication Security
Communication with external systems takes place using the standard channels provided by SAP basis
technology:
● Application Link Enabling(ALE)/IDoc
● Standard interfaces to BI, CRM, and SRM systems
● Batch-Input
Ensure that no unauthorized access can take place at the time of data transfer using encryption and with the
help of your network.
● Remote Function Call(RFC) / Business Application Programming Interface (BAPI)
● File Interface
Ensure that no unauthorized access can take place at the time of data transfer using encryption and with the
help of your network.
● SAP Process Integration (PI)
● E-mail, fax
Example
○ Financial Accounting has interfaces to Taxware and Vertex software used for performing tax
calculations.
○ Electronic advance return for tax on sales/purchases:
○ There is an interface for the electronic advance return for tax on sales and purchases using Elster.
Communication takes place by means of XI.
○ You can digitally sign the electronic advance return for tax on sales/purchases.
○ Payments and payment advice notes are dispatched using IDoc, and dunning notices are sent by e-
mail or fax.
Communication Destinations
All the technical users generally available can be used.
Data Storage Security
Many of the Financial Accounting transactions access sensitive data. Access to this kind of data, such as financial
statements, is protected by standard authorization objects.
Security Guide for SAP S/4HANA 1709
84 P U B L I C SAP S/4HANA Business Applications13.3.1.1 Authorizations in Financial Accounting
The following table shows the security-relevant authorization objects that are used by Financial Accounting.
For additional authorization objects that are specific to the components in Financial Accounting (such as FI-GL
and FI-SL), see the corresponding sections of this Security Guide.
Standard Authorization Objects in Financial Accounting
Table 41:
Authorization Object Description
F_WEB_ADRS Display/Change of Address Data via Web Interface
F_KKINTER Authorization for Interest Posting
F_PAYRQ Authorization Object for Payment Requests
F_BKPF_BLA Accounting Document: Authorization for Document Types
F_BKPF_BUK Accounting Document: Authorization for Company Codes
F_BKPF_BUP Accounting Document: Authorization for Posting Periods
F_BKPF_GSB Accounting Document: Authorization for Business Areas
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_BKPF_VW Accounting Document: Display/Change Default Values Docu
ment Type/Posting Key
F_PAYOH_AV Release and Rejection Reasons
F_FBCJ Cash Journal: General Authorization
F_KK_CJROL Cash Journal: Maintenance of Responsibilities
F_KMT_MGMT Account Assignment Model: Authorization for Maintenance
and Use
F_WTMG Withholding Tax Changeover
FOT_B2A_V Admin. Report Electronic Data Transmission to Authorities
FINS_MIG Authorization object for migration to SAP Simple Finance, On-
Premise Edition
FQM_FLOW Authorization object for Financial Quantity Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 8513.3.1.2 Deletion of Personal Data in Financial Accounting
Use
The Financial Accounting (FI) component might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 42:
Application Object Provided Deletion Functionality
FI documents ILM object FI_DOCUMNT (SAP note 2011278 )
Bank statement ILM object FI_ELBANK
Check management ILM object FI_SCHECK
Interest data ● Deletion report RFINTITDEL_DES
● ILM object FI_INTEREST_DESTRUCTION (SAP note
1926249 )
Payment data Deletion report SAPF110R
Payment order Deletion report RFPYORDD
Dunning data ● Deletion report SAPF150R_DES
● ILM object FI_DUNNING_DESTRUCTION (SAP note
1932584 )
Cash Journal data ILM object FI_TCJ_DOC (SAP note 1949312 )
Payment requests ILM object FI_PAYRQ (SAP note 2005535 )
Payment advice data Deletion report RFAVIS20
Error correction system (ECS) ILM object GLE_ECS (SAP note 1900413 )
Down payment chain ILM object /SAPPCE/DP (SAP note 1876387 )
Accounting interface posting data ILM object MM_ACCTIT
Security Guide for SAP S/4HANA 1709
86 P U B L I C SAP S/4HANA Business ApplicationsApplication Object Provided Deletion Functionality
Asset Accounting ILM object AM_ASSET (SAP note 1860049 )
Available Check
Implemented Solution: End of Purpose Check
For more information, see SAP note 2018575 .
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection.
13.3.1.3 General Ledger Accounting (FI-GL)
13.3.1.3.1 Authorizations
The following table shows the business roles that are used by the FI-GL component.
Business Roles in General Ledger Accounting
Table 43:
Role Description
SAP_BR_EXTERNAL_AUDITOR External Auditor
SAP_BR_GL_ACCOUNTANT General Ledger Accountant
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used by the FI-GL component.
Standard Authorizations in General Ledger Accounting
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 87Table 44:
Authorization Object Description
F_ACE_PST Accrual Engine: Accrual Postings
F_ACE_DST Accrual Engine: Accrual Objects
F_INVRPMAT Authorization for Material Journal (Inventory Info System)
F_INVRPWIP Authorization for WIP Journal (Inventory Info System)
GLE_ECS Authorization Check for Changing ECS Items
F_T011 Financial Statements: General Maintenance Authorization
F_BKPF_BES Accounting Document: Account Authorization for G/L Ac
counts
F_FAGL_CV Customizing Versions
F_FAGL_SKF FI: Processing of Statistical Key Figures
F_FAST_CLS Fast Close Authorizations
F_FAGL_LDR General Ledger: Authorization for Ledger
F_FAGL_DRU General Ledger: Authorization for Rule Entries for Validation
F_REORG_PL General Ledger: Authorization for Reorganization
F_FAGL_SEG General Ledger: Authorization for Segment
F_FAGL_SLL General Ledger: Authorization to Switch Leading Ledger
F_RPROC Intercompany Reconciliation: Authorizations
FAGL_INST Customer Enhancements for General Ledger
F_T011_BUK Planning: Authorization for Company Codes
F_SKA1_BUK G/L Account: Authorization for Company Codes
F_SKA1_KTP G/L Account: Authorization for Charts of Accounts
F_SKA1_BES G/L Account: Account Authorization
F_SKA1_AEN G/L Account: Change Authorization for Certain Fields
K_TP_VALU Transfer Price Valuations
Security Guide for SAP S/4HANA 1709
88 P U B L I C SAP S/4HANA Business Applications13.3.1.3.2 Data Storage Security
Logical Path and File Names
The FI-GL component saves data in files in the file system. Therefore, it is important to explicitly provide access to
the corresponding files in the file system without allowing access to other directories or files (also known as
directory traversal). This is achieved by specifying logical paths and file names in the system that map to the
physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that
does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by the FI-GL component. They also show the
programs for which these file names and paths apply.
Logical File Names and Paths for FI-GL and FI-SL
Logical File Names
The following logical file names have been created to enable the validation of physical file names:
● FI_COPY_COMPANY_CODE_DATA_FOR_GENERAL_LEDGER_0X
○ Programs using this logical file name:
○ RFBISA00
○ RFBISA01
○ RFBISA51
○ Parameter used in this context:
○ Program Name
● FI_INFOSYS_TRANSPORT
○ Programs using this logical file name:
○ RGRJTE00
○ RGRLTE00
○ RGRMTE00
○ RGRRTE00
○ RGRSTE00
○ RGRVTE00
○ RGRXTE00
○ RGSSTE00
○ RGSVTE00
○ RGRJTI00
○ RGRMTI00
○ RGSSTI00
○ RGSVTI00
○ Parameter used in this context:
○ Program name
● FI_VALUATION
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 89○ Programs using this logical file name:
○ FAGL_FCV
○ FAGL_FC_VALUATION
○ SAPF100
○ Parameters used in this context:
○ Program name
○ Key date (from the selection screen)
○ Valuation area (from the selection screen) for FAGL_FCV and FAGL_FC_VALUATION
valuation method (from the selection screen) for SAPF100
Logical Path Names
The logical file names listed above all use the logical file path FI_ROOT.
Logical File Names and Paths for FI-GL-IS (Information System)
Logical File Names
The following logical file names have been created to enable the validation of physical file names:
● FI_EXTERNAL
Programs using this logical file name and parameters used in this context:
Table 45:
Program
RFAWVZ58 Program name (SY-REPID) String ''AWV'' Parameter ''Key Date''
RFAWVZ5A Program name (SY-REPID) String ''AWV'' Parameter ''Key Date''
RFAWVZ5P Program name (SY-REPID) String ''AWV''
RFAWVZ5A_NACC Program name (SY-REPID) String ''AWV'' Parameter ''Key Date''
RFAWVZ5P_NACC Program name (SY-REPID) String ''AWV''
RFBIDET0 Program name (SY-REPID) Parameter ''Client''
RFBIKRT0 Program name (SY-REPID) Parameter ''Client''
RFFR0E84 Program name (SY-REPID) Parameter ''Customers/ Parameter ''Key Date''
vendors''
RFFRDDE0 Program name (SY-REPID) Parameter ''Company Code'' Parameter ''Type''
RFFRLIST Program name (SY-REPID)
RFFRMOD1 Program name (SY-REPID)
Security Guide for SAP S/4HANA 1709
90 P U B L I C SAP S/4HANA Business ApplicationsRFIDPTFO Program name (SY-REPID) Concatenated parameters String ''READ'' or ''WRITE''
__
RFLBOX00 Program name (SY-REPID) Parameter ''Procedure'' Parameter ''Input Record
Format''
RFLBOX80 Program name (SY-REPID) Parameter ''Procedure'' Parameter ''Input Record
Format''
RFLBOXIN Program name (SY-REPID) String ''LOCKBOX'' String ''BAI''
RFSBLIW0 Program name (SY-REPID)
● FI_POSTING
Programs using this logical file name and parameters used in this context:
Table 46:
Program
RFBIBLT0 Program name (SY-REPID)
RFEBCK00 Program name (SY-REPID) Parameter ''Document Type'' Parameter ''Session name''
RFEBCKT0 Program name (SY-REPID)
SAPF100A Program name (SY-REPID) Parameter ''Key Date''
● FI_TAX
Programs using this logical file name and parameters used in this context:
Table 47:
Program
RFASLD02 Program name (SY-REPID) Parameter year for ''Report Parameter ''Reporting Quar
ing Quarter'' ter''
RFASLD11 Program name (SY-REPID) Parameter year for ''Report Parameter ''Reporting Quar
ing Quarter'' ter''
RFASLD11B Program name (SY-REPID) Parameter year for ''Report Parameter ''Reporting Quar
ing Quarter'' ter''
RFUMPT00 Program name (SY-REPID) Parameter ''Company Code''
RFUSVB10 Program name (SY-REPID) Parameter ''Posting Date'' Parameter ''Posting Date''
(lower value) (higher value)
RFKQSU30 Program name (SY-REPID)
RFUMPT00 Program name (SY-REPID)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 91RFUSVS12 Program name (SY-REPID) Parameter ''Entity Responsi See note 1
ble''
RFUSVS14 Program name (SY-REPID) Concatenated parameters See note 1
_
RFUVPT00 Program name (SY-REPID) Parameter ''Company Code'' See note 2
Notes:
○ Note 1
If the file specified in the parameter “File for Leasing” is accessed, PARAM_3 contains the value READ;
consequently, the file content is read only and added to the output file.
If the file specified in the parameter “UNIX File for Output” is accessed, PARAM_3 contains the value
“WRITE”.
○ Note 2
If the file listed in the parameter “File Name - Application Server” on the “Periodic File O” tab page is
accessed, PARAM_3 contains the string PERIOD_WRITE.
If the file listed in the parameter “ECSL File Name (AS)” on the “Periodic File O” tab page is accessed,
PARAM_3 contains the string PERIOD_READ.
If the file listed in the parameter “XML File App. OP” on the “Annual File O/P” tab page is accessed,
PARAM_3 contains the string YEAR_READ.
If the file listed in the parameter “File Name - Application Server” on the “Annual File O/P” tab page is
accessed, PARAM_3 contains the string YEAR_WRITE.
● FI_RFASLD12_FILE
Programs using this logical file name and parameters used in this context:
Table 48:
Program
RFASLD02 Program name (SY-CPROG)
Logical Path Names
The logical file names listed above use the following logical file paths:
Table 49:
Logical File Name Logical File Path
FI_EXTERNAL FI_ROOT
FI_POSTING
FI_TAX
FI_RFASLD12_FILE FI_ERVJAB_FILE_PATH
Security Guide for SAP S/4HANA 1709
92 P U B L I C SAP S/4HANA Business Applications13.3.1.4 Accounts Payable Accounting (FI-AP)
Business Roles in Accounts Payable Accounting
Table 50:
Role Description
SAP_BR_AP_ACCOUNTANT Accounts Payable Accountant
SAP_BR_AP_MANAGER Accounts Payable Manager
Authorization Objects That Are Used by Accounts Payable and Accounts
Receivable
Table 51:
Authorization Object Description Customer Vendor G/L Accounts
F_AVIK_BUK Payment Advice Note: X X
Authorization for Com
pany Codes
F_BKPF_BED Accounting Document: X
Account Authorization
for Customers
F_BKPF_BEK Accounting Document: X
Account Authorization
for Vendors
F_BKPF_BES Accounting Document: X
Account Authorization
for G/L Accounts
F_BKPF_BLA Accounting Document: X X X
Authorization for Docu
ment Types
F_BKPF_BUK Accounting Document: X X X
Authorization for Com
pany Codes
F_BKPF_BUP Accounting Document: X X X
Authorization for Post
ing Periods
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 93Authorization Object Description Customer Vendor G/L Accounts
F_BKPF_GSB Accounting Document: X X X
Authorization for Busi
ness Areas
F_BKPF_KOA Accounting Document: X X X
Authorization for Ac
count Types
F_BNKA_BUK Banks: Authorization X X
for Company Codes
F_FAGL_LDR General Ledger: Au X
thorization for Ledger
F_FAGL_SEG General Ledger: Au X
thorization for Seg
ment
F_KNA1_BED Customer: Accounts X
Authorization
F_KNA1_BUK Customer: Authoriza X
tion for Company Co
des
F_KNA1_GEN Customer: Central Data X
F_KNA1_GRP Customer: Accounts X
Group Authorization
F_KNA1_APP Customer: Application X
Authorization
F_LFA1_BEK Vendor: Accounts Au X
thorization
F_LFA1_BUK Vendor: Authorization X
for Company Codes
F_LFA1_GEN Vendor: Central Data X
F_LFA1_GRP Vendor: Accounts X
Group Authorization
F_PAYRQ Authorization Object X X X
for Payment Requests
Security Guide for SAP S/4HANA 1709
94 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description Customer Vendor G/L Accounts
F_PAYR_BUK Check Management: X X
Action Authorization
for Company Codes
F_REGU_BUK Automatic Payment: X X X
Action Authorization
for Company Codes
F_REGU_KOA Automatic Payment: X X X
Action Authorization
for Account Types
F_SKA1_BUK G/L Account: Authori X
zation for Company Co
des
F_STAT_MON Bank Relationship: Sta X X X
tus Monitor authoriza
tions
13.3.1.5 Accounts Receivable Accounting (FI-AR)
Business Roles in Accounts Receivable Accounting
Table 52:
Role Description
SAP_BR_AR_ACCOUNTANT Accounts Receivable Accountant
SAP_BR_AR_MANAGER Accounts Receivable Manager
Authorization Objects That Are Used by Accounts Payable and Accounts
Receivable
Table 53:
Authorization Object Description Customer Vendor G/L Accounts
F_BKPF_BED Accounting Document: X
Account Authorization
for Customers
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 95Authorization Object Description Customer Vendor G/L Accounts
F_BKPF_BEK Accounting Document: X
Account Authorization
for Vendors
F_BKPF_BES Accounting Document: X
Account Authorization
for G/L Accounts
F_BKPF_BLA Accounting Document: X X X
Authorization for Docu
ment Types
F_BKPF_BUK Accounting Document: X X X
Authorization for Com
pany Codes
F_BKPF_BUP Accounting Document: X X X
Authorization for Post
ing Periods
F_BKPF_GSB Accounting Document: X X X
Authorization for Busi
ness Areas
F_BKPF_KOA Accounting Document: X X X
Authorization for Ac
count Types
F_BKPF_VW Accounting Document: X X X
Change Default Values
Document Type/Post
ing Key
F_LFA1_AEN Vendor: Change Au X
thorization for Certain
Fields
F_LFA1_APP Vendor: Application Au X
thorization
F_LFA1_BEK Vendor: Accounts Au X
thorization
F_LFA1_BUK Vendor: Authorization X
for Company Codes
F_LFA1_GEN Vendor: Central Data X
Security Guide for SAP S/4HANA 1709
96 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description Customer Vendor G/L Accounts
F_LFA1_GRP Vendor: Accounts X
Group Authorization
F_KNA1_AEN Customer: Change Au X
thorization for Certain
Fields
F_KNA1_APP Customer: Application X
Authorization
F_KNA1_BED Customer: Accounts X
Authorization
F_KNA1_BUK Customer: Authoriza X
tion for Company Co
des
F_KNA1_GEN Customer: Central Data X
F_KNA1_GRP Customer: Accounts X
Group Authorization
F_KNA1_KGD Customer: Change Au X
thorization for Ac
counts Groups
F_KNB1_ANA Customer: Authoriza X
tion for Account Analy
sis
F_SKA1_AEN G/L Account: Change X
Authorization for Cer
tain Fields
F_SKA1_BES G/L Account: Account X
Authorization
F_SKA1_BUK G/L Account: Authori X
zation for Company Co
des
F_SKA1_KTP G/L Account: Authori X
zation for Charts of Ac
counts
F_IT_ALV Line Item Display: X X
Change and Save Lay
outs
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 97Authorization Object Description Customer Vendor G/L Accounts
F_KMT_MGMT Account Assignment X X
Model: Authorization
for Maintenance and
Use
F_T060_ACT Information System: X X
Account Type/Activity
for Evaluation View
F_AVIK_AVA Payment Advice Note: X X
Authorization for Pay
ment Advice Note
Types
F_AVIK_BUK Payment Advice Note: X X
Authorization for Com
pany Codes
F_BNKA_BUK Banks: Authorization X X
for Company Codes
F_BNKA_MAN Banks: General Mainte X
nance Authorization
F_KNKK_BED Credit Management: X
Accounts Authorization
F_MAHN_BUK. Automatic Dunning: X
Authorization for Com
pany Codes
F_MAHN_KOA Automatic Dunning: X
Authorization for Ac
count Types
F_PAYR_BUK Check Management: X
Action Authorization
for Company Codes
F_REGU_BUK Automatic Payment: X
Action Authorization
for Company Codes
F_REGU_KOA Automatic Payment: X
Action Authorization
for Account Types
Security Guide for SAP S/4HANA 1709
98 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description Customer Vendor G/L Accounts
F_T042_BUK Customizing Payment X
Program: Authorization
for Company Codes
F_BNKA_MAN Banks: General Mainte X
nance Authorization
F_KNKA_AEN Credit Management: X
Change Authorization
for Certain Fields
F_KNKA_KKB Credit Management: X
Authorization for Credit
Control Area
13.3.1.6 Bank Accounting (FI-BL)
Important SAP Notes
For a list of additional security-relevant SAP HotNews and SAP Notes, see the SAP Service Marketplace at http://
service.sap.com/securitynotes.
13.3.1.6.1 Authorizations
The following table shows the standard roles that are used by the FI-BL component.
Standard Roles of Bank Accounting
Table 54:
Role Description
SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information
SAP_FI_BL_BANK_MASTERDAT_DISPL Display Bank Master Data
SAP_FI_BL_BANK_MASTER_DATA Maintain Bank Master Data
SAP_FI_BL_BANK_STATEMENT Process Bank Statement
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 99SAP_FI_BL_BANK_STATEMENT_EXT Process Bank Statement
Note
You require this authorization if you want to use the bank
statement overview. You can only display the bank state
ment overview in the SAP Business Client.
SAP_FI_BL_BILL_OF_EX_PRESENT Presenting a Bill of Exchange
SAP_FI_BL_BILL_OF_EX_REPORTS Reports About Bill of Exchange Position
SAP_FI_BL_CASHED_CHECKS Cashed Checks
SAP_FI_BL_CASH_JOURNAL Cash Journal
SAP_FI_BL_CHECK_DELETE Deletion of Checks
SAP_FI_BL_CHECK_DEPOSIT Check Deposit
SAP_FI_BL_CHECK_MANAGEMENT Check Management
SAP_FI_BL_CHECK_MGMENT_DISPLAY Display Managed Checks
SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Bank Statement Information (USA)
SAP_FI_BL_LOCKBOX Processing of Lockbox - Data
SAP_FI_BL_ONLINE_PAYMENT Execute Online Payments
SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing
SAP_FI_BL_PAYME_ADVICE_REPORTS Reports About Payment Advice Notes
SAP_FI_BL_POR_PROCEDURE Incoming Payment Using ISR Procedure (Switzerland)
SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bill of Exchange
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used by the FI-BL component.
Standard Authorization Objects of Bank Accounting
Table 55:
Authorization Object Description
F_BL_BANK Authorization for house banks and payment methods.
Security Guide for SAP S/4HANA 1709
100 P U B L I C SAP S/4HANA Business ApplicationsF_BNKA_BUK Banks Authorization for Company Codes
F_FBCJ Cash Journal General Authorization
F_FEBB_BUK Bank Account Statement Company Code
F_FEBC_BUK Check Deposit/Lockbox Company Code
F_BNKA_MAN Banks General Maintenance Authorization
F_PAYRQ Authorization object for payment requests
F_PAYR_BUK Check Management: Action authorization for company codes
F_REGU_BUK Automatic payment: Action authorization for company codes
F_REGU_KOA Automatic payment: Action authorization for account types
F_RPCODE Repetitive Code
F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages
F_T042_BUK Customizing Payment Program Authorization for Company
Codes
13.3.1.6.2 Data Storage Security
For information on communication with external systems, see the general part of this Guide under Financial
Accounting [page 84].
Recommendation
When you use the electronic bank statement, SAP strongly advises you run a virus software check on the data
retrieved from the bank in you system before importing the data into the SAP system, as no virus scan is made
by SAP in the electronic bank statement. For more information, see SAP Note 599541 .
Protect Access to the File System with Logical Paths and File Names
The following lists show the logical file names and paths that are used in Bank Accounting, and the programs for
which these file names and paths apply:
Logical File Names Used in Bank Accounting
The following logical file names have been created to enable the validation of physical file names:
● FI_RFEBKAT0_FILE
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 101○ Program using this logical file name:
○ RFEBKAT0
● FI_RFEBKATX_FILE
○ Program using this logical file name:
○ RFEBKATX
● FI_RFEBKAT1_FILE
○ Program using this logical file name:
○ RFEBKAT1
● FI_RFEBEST0_FILE
○ Program using this logical file name:
○ RFEBEST0
● FI_RFEBLBT1_FILE
○ Program using this logical file name:
○ RFEBLBT1
● FI_RFEBLBT2_FILE
○ Program using this logical file name:
○ RFEBLBT2
Parameters used in this context: Program Name
Logical Path Names Used in Bank Accounting
The logical file names listed above all use the logical file path FI_FTE_TEST_FILES.
13.3.1.7 Asset Accounting (FI-AA)
Important SAP Notes
For a list of additional security-relevant SAP HotNews and SAP Notes, see the SAP Support Portal at http://
support.sap.com/securitynotes.
Standard Roles
Table 56:
Role Description
SAP_BR_AA_ACCOUNTANT Asset Accountant
SAP_AUDITOR_BA_FI_AA AIS Fixed Assets
SAP_AUDITOR_BA_FI_AA_A AIS - Fixed Assets (Authorizations)
Security Guide for SAP S/4HANA 1709
102 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
For the list of standard authorization objects available for Asset Accounting, see transaction SU21, Object Class
Asset Accounting (AM).
Network and Communication Security
Asset Accounting provides BAPIs for communicating with third-party systems.
Communication Destinations
For workflow tasks, you sometimes need either the WF-BATCH user or a user that you can use for background
steps of this kind. To execute the decision steps required before reaching these background steps, you need a
user that is explicitly assigned.
13.3.1.8 Special Purpose Ledger (FI-SL)
Standard Roles in Special Purpose Ledger
Table 57:
Role Description
SAP_AUDITOR_BA_FI_SL AIS - Special Purpose Ledger
SAP_AUDITOR_BA_FI_SL_A AIS - Special Purpose Ledger (Authorizations)
SAP_FI_SL_ACTUAL_ASSESSMENT Special Purpose Ledger Actual Assessment
SAP_FI_SL_ACTUAL_DISTRIBUTION Special Purpose Ledger Actual Distribution
SAP_FI_SL_ACTUAL_POSTINGS Special Purpose Ledger Actual Postings
SAP_FI_SL_BATCH_JOBS Run Special Purpose Ledger Jobs in Background
SAP_FI_SL_CURRENCY_TRANSLATION Special Purpose Ledger Currency Translation
SAP_FI_SL_DISPLAY_DOCUMENTS Display Special Purpose Ledger Balances and Documents
SAP_FI_SL_DISPLAY_PLAN Display Special Purpose Ledger Plan
SAP_FI_SL_MODIFY_PLAN Modify Special Purpose Ledger Planning
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 103Role Description
SAP_FI_SL_PLAN_ASSESSMENT Edit Plan Assessment
SAP_FI_SL_PLAN_DISTRIBUTION Plan Distribution
SAP_FI_SL_ROLLUP Special Purpose Ledger Rollup
Authorization Objects in Special Purpose Ledger
Table 58:
Object Description
G_022_GACT FI-SL Customizing: Transactions
G_800S_GSE Special Purpose Ledger Sets: Set
G_802G_GSV Special Purpose Ledger Sets: Variable
G_806H_GRJ FI-SL Rollup
G_820_GPL FI-SL Planning: Planning Parameters
G_821S_GSP FI-SL Planning: Distribution Keys
G_880_GRMP FI-SL Customizing: Global Companies
G_881_GRLD FI-SL Customizing: Ledger
G_888_GFGC FI-SL Customizing: Field Movements
G_ADMI_CUS Central Administrative FI-SL Tools
G_ALLOCTN Special Purpose Ledger - Assessment/Distribution
G_GLTP Special Purpose Ledger - Database (Ledger, Record Type,
Version)
G_REPO_GLO FI-SL: Global Reporting (Global Company)
G_REPO_LOC FI-SL: Local Reporting (Company Code)
F_T011_BUK Planning: Authorization for Company Codes
Data Storage Security
Protect access to the file system with logical paths and file names
Security Guide for SAP S/4HANA 1709
104 P U B L I C SAP S/4HANA Business ApplicationsThe Special Purpose Ledger saves data in files in the file system. Therefore, it is important to allow access
explicitly to certain files in the file system without allowing access to other files (also called file traversals). You
achieve this by entering logical paths and file names in the system, which are assigned to the physical paths and
file names. This assignment is validated at runtime. If access to a file is requested that does not match any stored
assignment, then an error occurs.
Access to the file system is protected for the following programs by the logical file name listed.
Table 59:
Program Logical File Name Used by Parameter Used in Context Logical Path Name Used by
the Program the Program
RGRJTE00 FI_INFOSYS_TRANSPORT Program Name FI_ROOT
RGRLTE00
RGRMTE00
RGRRTE00
RGRSTE00
RGRVTE00
RGRXTE00
RGSSTE00
RGSVTE00
RGRJTI00
RGRMTI00
RGSSTI00
RGSVTI00
SAPMGLRV FI_ROLLUP Program Name FI_ROOT
(SY-CPROG)
SAPFGRWE FI_REPORT_WRITER Program Name FI_ROOT
(SY-CPROG – generated pro
gram name)
Activating the Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default.To activate the validation at runtime, maintain the
physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine which
paths are used by your system, you can activate the appropriate settings in the Security Audit Log.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 10513.3.1.9 Corporate Close - Consolidation Foundation
13.3.1.9.1 Authorizations
Standard Roles
The table below shows the standard role that is used by the FIN-RTC component.
Table 60:
Role Description
SAP_BR_CONSLDTN_SPECIALIST Consolidation Specialist
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used by the FIN-RTC component.
Table 61:
Authorization Object Description
F_RTC_DL0 Authorization for Consolidation Document List
F_RTC_DL1 Authorization for Consolidation Drill-Through Reports
F_RTC_CT0 Authorization for Currency Translation Run
F_RTC_DRR Authorization for Data Release Requests
F_RTC_SU Authorization for Flexible Upload
F_RTC_PL0 Authorization for Period Lock
F_RTC_VR Authorization for Validation Results
F_RTC_RUL Authorization for Validation Rules
F_RTC_MD Authorization for Consolidation Models
F_RTC_ENT Authorization for Consolidation Entities
Security Guide for SAP S/4HANA 1709
106 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
F_RTCAFD Authorization for Additional Financial Data
F_RTC_JD0 Authorization for Displaying Consolidation Journal Entries
F_RTC_DT Authorization for Document Types
F_RTC_FSV Authorization for Financial Statements
F_RTC_MED Authorization for Methods
F_RTC_SEL Authorization for Selections
13.3.1.9.2 Deletion of Personal Data
Use
The Real-Time Consolidation (FIN-RTC) component in SAP S/4HANA might process data (personal data)
that is subject to the data protection laws applicable in specific countries.
Relevant Application Objects and Available Deletion Functionality
Table 62:
Application Provided Deletion Functionality
Consolidation Methods RTC_DPP_METHOD
● Transaction codes RTCTM and RTCRM
● Fiori App Define Validation Methods
Consolidation Models (transaction code RTCMD) RTC_DPP_MODEL
Validation Rules (Fiori app Define Validation Rules) RTC_DPP_VALIDATION_RULE
Data Release Lock (Fiori app Consolidation Data Release RTC_DPP_DATA_RELEASE_LOCK
Monitor)
Data Release Requests RTC_DPP_DATA_RELEASE_REQUEST
● Fiori app Consolidation Data Release Cockpit
● Fiori app Consolidation Data Release Monitor
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 107Application Provided Deletion Functionality
Rule Result Comments (Fiori app Consolidation Data Release RTC_DPP_RULE_RESULT_COMMENTS
Cockpit)
Task Logs (all programs that run currency translation and RTC_DPP_TASK_LOG
post journal entries, for example, transaction code RTCCT and
Fiori app Consolidation Data Release Cockpit)
Note
For the deletion programs mentioned in the table above, you can also Display Records.
Run Deletion Programs
SAP recommends scheduling regular jobs to run the deletion programs using the Define Background Job (SM36)
transaction.
13.3.1.10 Central Finance (FI-CF)
The following functions are available for Central Finance:
Schedule Clean-Up Report in Source System
Data relating to FI/CO documents is temporarily stored in log tables in the source system before it can be
transferred to Central Finance. To delete the temporary information from these tables, a clean-up program
(RFIN_CFIN_CLEANUP) is run and must be scheduled regularly (for example, once a month). In the configuration
of this program, you can define for how many periods a temporarily stored data record is kept before being
deleted by the clean-up program (for example, so that an incorrect posting can be corrected).
Read Access Log for the Application Log
The application log for the Central Finance initial load may contain sensitive, personal data. Therefore, we provide
a read access log for this application log (CFIN_INITIAL_LOAD) for the channel DYNP.
Security Guide for SAP S/4HANA 1709
108 P U B L I C SAP S/4HANA Business Applications13.3.2 Controlling
13.3.2.1 Authorizations
The Controlling component uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply to the Controlling component. The SAP NetWeaver authorization concept is
based on assigning authorizations to users based on roles. For role maintenance, use the profile generator
(transaction PFCG) on the AS ABAP.
Business Roles
The table below shows the business roles that are used by the Controlling component.
Table 63:
Role Description
SAP_BR_OVERHEAD_ACCOUNTANT Cost Accountant - Overhead
SAP_BR_SALES_ACCOUNTANT Cost Accountant - Sales
SAP_BR_PRODN_ACCOUNTANT Cost Accountant - Production
SAP_BR_INVENTORY_ACCOUNTANT Cost Accountant - Inventory
SAP_BR_MANAGER_COST Manager - Finance Info
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the Controlling component.
Standard Roles in Controlling
Table 64:
Authorization Object Field Value Description
K_CRM_REP (Authorization Check ● SORG (Service Organization) A5 Display reports
for Cost Integration CRM – CO) ● VART (Business Transaction
Type)
● ACTVT (Activity)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 109Authorization Object Field Value Description
K_FPB_EXP (Authorization Object ● EXP_SCEN (Planning Scenario) 02 Change
for Express Planning) ● EXP_INST (Express Planning Assigns authorization to enter data
Instance) and execute express planning.
● ACTVT (Activity)
03 Display
You have the authorization to dis
play external express planning data.
39 Check
Assigns authorization to check ex
press planning data and to approve
or reject the data entered.
K_PVARIANT (Authorization for ● PVARIANT (Screen Variant for Assigns authorization to define
Screen Variants) Manual Actual Postings in CO) posting variants for each business
● VRGNG (Business Transaction) transaction.
K_MLMBDISP (CO Material Ledger: ● BWKEY (Valuation area) Assigns authorization to display the
Display Material Valuation Docu material valuation document.
ment)
K_ML_MTART (CO Material Ledger: ● ACTVT (Activity) 02 Change
Material Type) ● MTART (Material type) Assigns authorization to execute
and post single-level material price
determination and change price de
termination.
03 Display
Assigns authorization to display ma
terial ledger data.
K_ML_VA (CO Material Ledger: Valu ● ACTVT (Activity) 02 Change
ation Area) ● BWKEY (Valuation area) Assigns authorization to perform
multilevel material price determina
tion. However, you also need the au
thorization object K_ML_MTART
(CO Material Ledger: Material Type).
03 Display
Assigns authorization to display ma
terial ledger data and material
ledger documents.
Security Guide for SAP S/4HANA 1709
110 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
16 Execute
Assigns authorization for executing
and displaying materials for the
costing run.
40 Create in DB
45 Allow
Assigns authorization for executing
price determination and closing en
tries.
K_KLPR_VA (CO Material Price ● ACTVT (Activity) 03 Display
Change: Valuation Area) ● BWKEY (Valuation area)
16 Execute
44 Flag
K_CBPR_VA ● KOKRS (Controlling Area) 02 Change
● ACTVT (Activity) Assigns authorization for changing
business process groups.
03 Display
Assigns authorization for displaying
business process groups.
K_CBPR_PLA ● KOKRS (Controlling Area) 02 Change
● PRZNR (Business Process) Assigns authorization for displaying
● ACTVT (Activity) and changing planning of business
processes.
03 Display
Assigns authorization for displaying
planning of business processes.
K_CKPH_SET ● KOKRS (Controlling Area) 02 Change
● ACTVT (Activity) Assigns authorization for changing
cost object groups.
03 Display
Assigns authorization for displaying
cost object groups.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 111Authorization Object Field Value Description
K_ABC ● AUTHAREA (Authorization Area Assigns authorization for mainte
for Business Processes) nance actions in business process
● CO_ACTION (Actions for CO- master data, manual business proc
OM Authorization Check) ess planning, the template, and the
● KSTAR (Cost Element) information system.
K_CSLA_SET ● KOKRS (Controlling Area) 02 Change
● ACTVT (Activity) Assigns authorization for changing
activity type groups.
03 Display
Assigns authorization for displaying
activity type groups.
06 Delete
K_ CSLA (CO-CCA: Activity Types ● KOKRS (Controlling Area) 01 Create or generate
Master) ● ACTVT (Activity) Assigns authorization to create ac
tivity types.
02 Change
Assigns authorization to change ac
tivity types.
03 Display
Assigns authorization to display ac
tivity types.
06 Delete
This is not used at present.
08 Display change documents
Assigns authorization to look at
change documents on the activity
types.
K_CSKS_BUD (CO-CCA: Cost Center ● KOKRS (Controlling Area) 02 Change
Budget Planning) ● KOSTL (Cost Center) Assigns authorization to change the
● ACTVT (Activity) budget of cost centers.
03 Display
Assigns authorization to display the
budget of cost centers.
Security Guide for SAP S/4HANA 1709
112 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_ CSKS_SET (CO-CCA: Cost Cen ● KOKRS (Controlling Area) 02 Change
ter Groups) ● ACTVT (Activity) Assigns authorization to change
cost center groups.
03 Display
Assigns authorization to display
cost center groups.
06 Delete
K_ CSKS (CO-CCA: Cost Center ● KOKRS (Controlling Area) 01 Create or generate
Master) ● KOSTL (Cost Center) Assigns authorization to create cost
● ACTVT (Activity) centers.
02 Change
Assigns authorization to change
cost centers.
03 Display
Assigns authorization to display
cost centers.
06 Delete
This is not used at present.
08 Display change documents
Assigns authorization to look at
change documents on cost centers.
63 Activate
Assigns authorization to activate in
active cost centers.
K_ CSKS_PLA (CO-CCA: Cost Cen ● KOKRS (Controlling Area) 02 Change
ter Planning) ● KOSTL (Cost Center) Assigns authorization to change the
● ACTVT (Activity) planning of cost centers.
03 Display
Assigns authorization to display the
planning of cost centers.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 113Authorization Object Field Value Description
K_ CSKA_SET (CO-CCA Cost Ele ● KTOPL (Chart of Accounts) 02 Change
ment Groups) ● ACTVT (Activity) Assigns authorization to change
cost element groups.
03 Display
Assigns authorization to display
cost element groups.
06 Delete
K_ CSKB (CO-CCA: Cost Element ● KOKRS (Controlling Area) 01 Create or generate
Master) ● CO_KAINT (Cost Element Clas Assigns authorization to create cost
sification (Primary/Secondary) elements.
● ACTVT (Activity)
02 Change
Assigns authorization to change
cost elements.
03 Display
Assigns authorization to display
cost elements.
06 Delete
This is not used at present.
08 Display change documents
Assigns authorization to view cost
element change documents.
K_ CSKB_PLA (CO-CCA: Cost Ele ● KOKRS (Controlling Area) 02 Change
ment Planning) ● KSTAR (Cost Element) Assigns authorization to change the
● ACTVT (Activity) planning of cost elements.
03 Display
Assigns authorization to display the
planning of cost elements.
K_CCA (CO-CCA: Gen. Authorization ● RESPAREA (CO-OM Responsi Assigns authorization for the main
Object for Cost Center Accounting) bility Area) tenance of cost center master data,
● CO_ACTION (Actions for CO- manual cost center planning, and
OM Authorization Check) the information system.
● KSTAR (Cost Element)
Security Guide for SAP S/4HANA 1709
114 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_REPO_CCA (CO-CCA: Reporting ● KOKRS (Controlling Area) 27 Display totals records
on Cost Centers/Cost Elements) ● KOSTL (Cost Center) Assigns authorization for summary
● KSTAR (Cost Element) record reporting.
● ACTVT (Activity)
28 Display line items
Assigns authorization for line item
reporting.
29 Display saved data Assigns authori
zation for reporting of stored data.
K_KA03_SET (CO-CCA: Statistical ● KOKRS (Controlling Area) 02 Change
Key Figure Groups) ● ACTVT (Activity) Assigns authorization to change
statistical key figure groups.
03 Display
Assigns authorization to display
statistical key figure groups.
K_ORDER (CO-OPA: General authori ● RESPAREA (CO-OM Responsi Assigns authorization for the follow
zation object for internal orders) bility Area) ing actions while working with inter
● AUFART (Order Type) nal orders:
● AUTHPHASE (Internal order au ● Maintenance of order master
thorization: Authorization data
phase) ● Manual order planning
● CO_ACTION (Actions for CO- ● Budgeting of orders
OM Authorization Check) ● Actions in the information sys
● KSTAR (Cost Element) tem
K_AUFK_SET (CO-OPA: Order ● HNAME (Group Name) 02 Change
Groups) ● ACTVT (Activity) Assigns authorization to change or
der groups.
03 Display
Assigns authorization to display au
thorization objects in CO-PA plan
ning.
K_KELP_GP (CO-PA Planning: Inte ● CEERKRS (Operating concern) 16 Execute
grated Planning) ● ACTVT (Activity) Assigns authorization to restrict the
way integrated planning is used.
K_KELP_VER (CO-PA Planning: Plan ● CEVERSI (Plan version (CO- Assigns authorization to process
Version) PA)) plans depending on plan version.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 115Authorization Object Field Value Description
K_KELP_RC (CO-PA Planning: Plan ● CEERKRS (Operating concern) 01 Create or generate Assigns authori
ning Layouts) ● CEFORM (Form) zation to create planning layouts.
● ACTVT (Activity)
02 Change
Assigns authorization to change
planning layouts and plan struc
tures.
03 Display
Assigns authorization to display
planning layouts and plan struc
tures.
21 Transport
Assigns authorization to transport
planning layouts.
60 Import
Assigns authorization to import
planning layouts.
65 Reorganize
Assigns authorization to reorganize
planning layouts.
K_WIP (CO-PC-OBJ: WIP Calcula ● WERKS (PLANT) 02 Change
tion and Results Analysis) ● ACTVT (Activity) Assigns authorization to change the
data for work in process (WIP) cal
culation and results analysis.
03 Display
Assigns authorization to display the
data for WIP calculation and results
analysis.
K_WIP (CO-PC-OBJ: WIP Calcula ● WERKS (PLANT) 02 Change
tion and Results Analysis) ● ACTVT (Activity) Assigns authorization to change the
data for work in process (WIP) cal
culation and results analysis.
03 Display
Assigns authorization to display the
data for WIP calculation and results
analysis.
Security Guide for SAP S/4HANA 1709
116 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_WIP_BU (CO-PC-OBJ: WIP Calcu ● BUKRS (Company Code) 02 Change
lation and Results Analysis) ● ACTVT (Activity) Assigns authorization to change
processed objects in WIP calculation
and results analysis.
03 Display
Assigns authorization to display
processed objects in WIP calculation
and results analysis.
K_WIP_PC (CO-PC-OBJ: WIP Calcu ● PRCTR (Profit Center) 02 Change
lation and Results Analysis) ● ACTVT (Activity) Assigns authorization to change
processed objects in WIP calculation
and results analysis.
03 Display
Assigns authorization to display
processed objects in WIP calculation
and results analysis.
K_CBEW (CO-PC: Concurrent Cost ● ACTVT (Activity) 01 Create or generate
ing - Cstg Master Data)
02 Change
03 Display
06 Delete
K_CKPH (CO-PC: Cost Objects) ● KTRAT (Cost Object Category) 01 Create or generate Assigns authori
● ACTVT (Activity) zation to create cost object IDs.
02 Change
Assigns authorization to change
cost object IDs.
03 Display
Assigns authorization to display
cost object IDs.
06 Delete
Assigns authorization to delete cost
object IDs.
72 Plan
A5 Display reports
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 117Authorization Object Field Value Description
K_KEKO (CO-PC: Product Costing) ● KLVAR (Costing Variant) 03 Display
● BUKRS (Company Code) Assigns authorization to display
● ACTVT (Activity) product costing.
06 Delete
Assigns authorization for executing
a reorganization run and for archiv
ing cost estimates.
16 Execute
Assigns authorization for creating
and changing a cost estimate, and
for creating, changing, executing,
and deleting a costing run.
39 Check
K_CKBOB (CO-PC: Product Drill ● WERKS (Plant) 16 Execute
down) ● ACTVT (Activity) Assigns authorization to display a
report that was created with prod
uct drilldown reporting.
A5 Display report
Assigns authorization to carry out
product drilldown reporting.
K_PKSA (CO-PC: Production Cost ● WERKS (Plant) 01 Create or generate
Collector) ● ACTVT (Activity) Assigns authorization to create a
product cost collector in any plant.
02 Change
Assigns authorization to change a
product cost collector in any plant.
03 Display (master data)
Assigns authorization to display a
product cost collector in any plant.
A5 Display reports (cost report)
K_FVMK (CO-PC: Release/Marking - ● BUKRS (Company Code) 43 Release
Product Costing) ● ACTVT (Activity) Assigns authorization to to release
standard cost estimates.
Security Guide for SAP S/4HANA 1709
118 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
44 Flag
Assigns authorization to mark
standard cost estimates.
45 Allow
Assigns authorization to allow mark
ing and releasing of standard cost
estimates.
K_SUM_ORD (CO-PC: Summarization ● IDENT (Hierarchy ID) 03 Display
– Orders) ● KOKRS (Controlling Area) Assigns authorization to display a
● ACTVT (Activity) summary of order costs.
16 Execute
Assigns authorization to summarize
order costs.
A5 Display reports
Assigns authorization to display re
ports for order costs.
K_SUM_PROJ (CO-PC: Summariza ● IDENT (Hierarchy ID) 03 Display
tion – Projects) ● KOKRS (Controlling Area) Assigns authorization to display a
● ACTVT (Activity) summary of project costs.
16 Execute
Assigns authorization to summarize
project costs.
A5 Display reports
Assigns authorization to display re
ports for project costs.
K_TEMPL (CO: Auth. Template ● KOKRS (Controlling Area)
(ABC-allocation, formula planning, ● TPLCLASS (Valid Environ
other)) ments)
● TEMPLATE (Template)
● ACTVT (Activity)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 119Authorization Object Field Value Description
K_VRGNG (CO: Bus. Trans., Actual ● KOKRS (Controlling Area) 01 Create or generate
Postings and Plan/act. Allocations) ● CO_VRGNG (CO Business Trans Assigns authorization to create
action) manual actual cost postings, and al
● ACTVT (Activity) locations of planned and actual
costs, which change the data of a
whole controlling area (or larger
areas).
02 Change
Assigns authorization to change
manual actual cost postings, and al
locations of planned and actual
costs, which change the data of a
whole controlling area (or larger
areas).
03 Display
Assigns authorization to display
manual actual cost postings, and al
locations of planned and actual
costs, which change the data of a
whole controlling area (or larger
areas).
06 Delete
16 Execute
48 Simulate
K_ZBASSL (CO: Calculation base) ● BASSL (Calculation Base for 02 Change
Overheads)
Assigns authorization to change the
● ACTVT (Activity) overhead rate base.
03 Display
Assigns authorization to display the
overhead rate base.
K_ZKALSM (CO: Costing sheet) ● KALSM (Procedure) 02 Change
● ACTVT (Activity) Assigns authorization to change the
costing sheet.
03 Display
Assigns authorization to display the
costing sheet.
Security Guide for SAP S/4HANA 1709
120 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_ZENTSL (CO: Credit) ● ENTSL (Credit for overhead) 02 Change
● ACTVT (Activity)
03 Display
K_KMBO_DCT (CO: Document Type ● BUKRS (Company Code) 01 Create or generate
for Manual Funds Reservation) ● KBLART (Doc.Type: Manual Assigns authorization to create
document entry) funds reservations with a particular
● ACTVT (Activity) document type.
02 Change
Assigns authorization to change
funds reservations with a particular
document type.
03 Display
Assigns authorization to display
funds reservations with a particular
document type.
06 Delete
Assigns authorization to reduce
funds reservations with a particular
document type.
24 Archive
Assigns authorization to archive
funds reservations with a particular
document type.
K_KFPP_DCT (CO: Document Type ● KOKRS (Controlling Area) 01 Create or generate
for Transfer Price Agreements) ● KFPBLA (Document type: Assigns authorization to create
Transfer price agreement/allo transfer price agreements with par
cation) ticular document types.
● ACTVT (Activity)
02 Change
Assigns authorization to change
transfer price agreements with par
ticular document types.
03 Display
Assigns authorization to display
transfer price agreements with par
ticular document types.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 121Authorization Object Field Value Description
06 Delete
Assigns authorization to delete
transfer price agreements with par
ticular document types.
24 Archive
Assigns authorization to archive
transfer price agreements with par
ticular document types.
K_KFPI_DCT (CO: Document Type ● KOKRS (Controlling Area) 01 Create or generate
for Transfer Price Allocations) ● KFPBLA (Document type: Assigns authorization to create
Transfer price agreement/allo transfer price allocations with par
cation) ticular document types.
● ACTVT (Activity)
03 Display
Assigns authorization to display
transfer price allocations with par
ticular document types.
06 Delete
Assigns authorization to delete
transfer price allocations with par
ticular document types.
24 Archive
Assigns authorization to archive
transfer price allocations with par
ticular document types.
K_KA_RCS (CO: Drill-down reporting ● CEAPPL (Application class for 01 Create or generate
- line-/column structures) drilldown reporting)
Assigns authorization to create row
● TABLE (Table Name) and column structures for drilldown
● CEFORM (Form) reporting.
● ACTVT (Activity)
02 Change
Assigns authorization to change row
and column structures for drilldown
reporting.
03 Display
Assigns authorization to display row
and column structures for drilldown
reporting.
Security Guide for SAP S/4HANA 1709
122 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
21 Transport
60 Import
65 Reorganize
Assigns authorization to reorganize
row and column structures for drill
down reporting.
K_SUM_CO (CO: General CO Sum ● IDENT (Hierarchy ID) 03 Display
marization Without Classification) ● KOKRS (Controlling Area) Assigns authorization to display
● ACTVT (Activity) general controlling summarization
(without classification).
16 Execute
Assigns authorization to summarize
the costs for the summarization hi
erarchy in the controlling area.
A5 Display reports
Assigns authorization to display a
report for the summarization hierar
chy in the controlling area.
K_KA_RPT (CO: Interactive Drill ● CEAPPL (Application class for 01 Create or generate
down Reporting – Reports) drilldown reporting)
● TABLE (Table Name) 02 Change
● CEREPID (Report) 03 Display
● ACTVT (Activity)
04 Print, edit messages
16 Execute
21 Transport
28 Display line items
29 Display saved data
32 Save
60 Import
61 Export
65 Reorganize
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 123Authorization Object Field Value Description
66 Refresh
L0 All functions
L1 Function range level 1
L2 Function range level 2
K_ORGUNIT (CO: Organizational
Units Used in Actual Postings)
K_ZZUSSL (CO: Overhead) ● ZUSSL (Overhead rate) 02 Change
● ACTVT (Activity) Assigns authorization to change
overhead rates for overheads.
030 Display
Assigns authorization to display
overhead rates for overheads.
K_ZSCHL (CO: Overhead key) ● ZUSSL (Overhead rate) 02 Change
● ACTVT (Activity) Assigns authorization to change the
overhead key for overheads.
03 Display
Assigns authorization to display the
overhead key for overheads.
K_TKA50 (CO: Planner Profiles) ● BRGRU (Authorization Group) 01 Create or generate
● ACTVT (Activity) Assigns authorization to create au
thorization for planner profiles.
02 Change
Assigns authorization to change au
thorization for planner profiles.
03 Display
Assigns authorization to display au
thorization for planner profiles.
06 Delete
16 Execute
Security Guide for SAP S/4HANA 1709
124 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_REPO_USR (CO: Reporting / User ● ACTVT (Activity) 02 Change
Settings) ● KUSRGR (Indicator for user Assigns authorization to change
group) user settings for overhead cost con
trolling.
03 Display
Assigns authorization to display
user settings for overhead cost con
trolling.
K_KA_TREC (CO: Summarization ● ACTVT (Activity) 02 Change
Levels) ● CEAPPL (Application class for Assigns authorization to change
drilldown reporting) summarization levels.
● TABLE (Table Name)
03 Display
07 Activate, generate
66 Refresh
Assigns authorization to update
summarization levels.
71 Analyze
Assigns authorization to analyze the
access log.
K_KA09_KVS (CO: Version) ● BRGRU (Authorization Group) 02 Change
● ACTVT (Activity)
03 Display
72 Plan
DP Delete plan
K_KC_PL (EC-BP: Authorization for ● CFASPET (Aspect (application Assigns authorization to create,
Planning Layouts) area)) change, and display planning lay
● CEFORM (Form) outs. It also assigns authorization to
● ACTVT (Activity) display and change plan data.
K_KC_DE (EC-EIS Authorization - ● CFASPET (Aspect (application 01 Create or generate
Entry Layout / Data Entry) area))
Assigns authorization to create
● CEFORM (Form) planning and data entry layouts.
● ACTVT (Activity)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 125Authorization Object Field Value Description
02 Change
Assigns authorization to change
planning and data entry layouts.
03 Display
Assigns authorization to display
planning and data entry layouts.
29 Display saved data
Assigns authorization for the layout
used to display data.
79 Enter
Assigns authorization to enter and
modify data with the layout.
K_ KC_HI (EC-EIS Authorizations ● CFAPPLC (Application class for 01 Create or generate
for Hierarchies) DD objects (not used))
● CFFIENM (Field Name) 02 Change
● CFHVERS (Hierarchy variant) 03 Display
● ACTVT (Activity)
06 Delete
K_ KC_PRC (EC-EIS: Authorization ● CFASPET (Aspect (application 01 Create or generate Assigns authori
for Presentation of Form) area)) zation to create a form.
● CEFORM (Form)
● ACTVT (Activity) 02 Change Assigns authorization to
change a form.
03 Display Assigns authorization to dis
play a form.
16 Execute Assigns authorization to
use a form in the information sys
tem.
K_ KC_DSK (EC-EIS: Authorization ● CFASPET (Aspect (application
for Structures and Key Figures) area))
● CFAPPLC (Application class for
DD objects (not used))
● CFOKCOD (EC-EIS/BP function
code)
● TCD (Transaction Code)
Security Guide for SAP S/4HANA 1709
126 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_ KC_DS (EC-EIS: Authorizations ● CFASPET (Aspect (application Assigns authorization for maintain
for Data Structure Maintenance) area)) ing and displaying data structure
● CFKYRSP (Application) and key figures.
● CFOKCOD (EC-EIS/BP function
code)
● TCD (Transaction Code)
K_ KC_DB (EC-EIS: Authorizations ● CFASPET (Aspect (application
for the Data Basis) area))
● CFRECTY (Record type)
● CFVERSO (Data area (previously
version))
● CFPERDE (Period)
● CFVALTY (Value type)
● CFOKCOD (EC-EIS/BP function
code)
● TCD (Transaction Code)
K_ KC_FC (EC-EIS: Function Code ● ACTVT (Activity 01 Create or generate
Authorization)
02 Change
03 Display
06 Delete
16 Execute
K_PCAI_UEB (EC-PCA: Actual Data ● KOKRS (Controlling Area) Assigns authorization to transfer ac
Transfer) tual data.
K_PCAD_UM (EC-PCA: Assessment/ ● GLRRCTY (Record Type) 01 Create or generate
Distribution) ● ACTVT (Activity) Assigns authorization to create cy
cles.
02 Change
Assigns authorization to change cy
cles.
03 Display
Assigns authorization to display cy
cles and to obtain an overview of as
sessments.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 127Authorization Object Field Value Description
06 Delete
Assigns authorization to delete cy
cles.
16 Execute
Assigns authorization to perform as
sessment and distribution.
K_PCAB_DEL (EC-PCA: Delete ● GLRLDNR (Ledger) Assigns authorization to delete
Transaction Data) transaction data for profit centers.
K_PCAF_UEB (EC-PCA: FI Data ● BUKRS (Company Code)
Transfer)
K_PCAL_GEN (EC-PCA: Generate ● KOKRS (Controlling Area) 03 Display
and activate ledger) ● ACTVT (Activity) Assigns authorization to display
ledger settings.
62 Create automatic ledger
Assigns authorization to create au
tomatic ledger.
63 Activate
Assigns authorization to activate
profit center ledger.
64 Generate
Assigns authorization to regenerate
a ledger.
K_PCAM_UEB (EC-PCA: MM Data ● ACTVT (Activity) 90 Copy
Transfer) Assigns authorization to transfer
data from materials management
(MM).
K_PCAP_UEB (EC-PCA: Plan Data ● KOKRS (Controlling Area) Assigns authorization to transfer
Transfer) ● CEVERSN (Version) plan data to profit centers.
● CEGJAHR (Fiscal Year)
K_PCAP_SET (EC-PCA: Planning Hi ● KOKRS (Controlling Area) 01 Create or generate Assigns authori
erarchy) ● ACTVT (Activity) zation to create profit center hierar
chies.
02 Change Assigns authorization to
change profit center hierarchies.
Security Guide for SAP S/4HANA 1709
128 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
03 Display Assigns authorization to dis
play profit center hierarchies.
06 Delete Assigns authorization to de
lete profit center hierarchies.
K_ PCAS_PRC (EC-PCA: Profit Cen ● KOKRS (Controlling Area) 01 Create or generate Assigns authori
ters) ● ACTVT (Activity) zation to create profit centers.
02 Change
Assigns authorization to change
profit centers and time-based fields.
03 Display
Assigns authorization to display
profit centers and the master data
index.
06 Delete
Assigns authorization to delete
profit centers.
21 Transport
Assigns authorization to transport
Customizing settings.
42 Convert to DB
Assigns authorization to convert line
items.
63 Activate
Assigns authorization to activate in
active profit centers.
Activate Assigns authorization to ● KOKRS (Controlling Area) Assigns authorization to realign
activate inactive profit centers. profit center data for retroactive
changes to profit center assign
ments in CO master data.
K_PCA (EC-PCA: Responsibility ● RESPAREA (CO-OM Responsi
Area, Profit Center) bility Area)
● CO_ACTION (Actions for CO-
OM Authroization Check)
● KSTAR (Cost Element)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 129Authorization Object Field Value Description
K_PCAS_UEB (EC-PCA: SD Data ● ACTVT (Activity) 90 Copy
Transfer) Assigns authorization to transfer
data from sales and distribution
(SD).
K_PCAR_SRP (EC-PCA: Standard ● GLRLDNR (Ledger) 02 Change
Reports and Datasets) ● ACTVT (Activity)
07 Activate, generate Assigns authori
zation to generate profit center re
ports.
16 Execute
Assigns authorization to execute
profit center reports.
42 Convert to DB
Assigns authorization to convert
profit center reports.
60 Import
Assigns authorization to import
standard reports and datasets.
61 Export
Assigns authorization to export
standard reports and datasets.
K_PCAR_REP (EC-PCA: Summary ● BUKRS (Company Code) 01 Create or generate
and Line Item Reports) ● PRCTR (Profit Center)
● KSTAR (Cost Element) 02 Change
● ACTVT (Activity) 03 Display Assigns authorization to dis
play documents.
06 Delete
27 Display totals records
Assigns authorization to carry out
reporting of summary records.
28 Display line items
Assigns authorization to carry out
reporting of line items.
Security Guide for SAP S/4HANA 1709
130 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
29 Display saved data
Assigns authorization to display
saved data.
76 Enter
Assigns authorization to create
documents.
K_ML_MGV (Material Ledger: Master ● ACTVT (Activity) 01 Create or generate
Data of Quantity Structure Tool) ● WERKS (Plant)
02 Change
03 Display
K_KEPL_TC (Profit Planning) ● ACTVT (Activity) 02 Change
Assigns authorization to change and
delete plan data.
03 Display
Assigns authorization to display
plan data.
24 Archive
Assigns authorization to archive
plan data.
65 Reorganize
Assigns authorization to reorganize
long texts for plan data.
B3 Derive
Assigns authorization to carry out
characteristic derivation before au
throization checked for CO-PA au
thorizations.
K_KEPL_FR (Profit Planning: Initial ● CEERKRS (Operating concern) 02 Change
Screen) ● ACTVT (Activity)
03 Display
16 Execute
21 Transport
GL General overview
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 131Authorization Object Field Value Description
K_KEI_TC (Profitability Analysis: ● ACTVT (Activity) 01 Create or generate
Actual Data) Assigns authorization to create line
items.
02 Change
Assigns authorization to perform
periodic valuation or top-down ac
tual distribution.
03 Display
Assigns authorization to display line
items.
06 Delete
Assigns authorization to delete the
data in the error file CEERROR.
24 Archive
Assigns authorization to archive line
items.
K_KEKD_TC (Profitability Analysis: ● ACTVT (Activity) 01 Create or generate
Conditions) Assigns authorization to create con
dintion tables and pricing reports.
02 Change
Assigns authorization to change
condintion tables and pricing re
ports.
03 Display
Assigns authorization to display
condintion tables and pricing re
ports.
16 Execute
Assigns authorization to execute
condition lists.
K_KED_UM (Profitability Analysis: ● CEERKRS (Operating concern) 01 Create or generate
Cost Center Assessment) ● CEPLIKZ (Plan/Actual Indica Assigns authorization to create cy
tor) cles.
● ACTVT (Activity)
Security Guide for SAP S/4HANA 1709
132 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
02 Change
Assigns authorization to change and
delete cycles.
03 Display
Assigns authorization to display cy
cles.
16 Execute
Assigns authorization to execute as
sessments.
58 Display takeover
Assigns authorization to display an
overview of cost center assess
ments.
K_KER_TC (Profitability Analysis: ● ACTVT (Activity) 01 Create or generate
Derivation Rule Values)
02 Change
Assigns authorization to change
derivation rules.
03 Display
Assigns authorization to display der
ivation rules.
K_KES_TC (Profitability Analysis: ● ACTVT (Activity) 01 Create or generate
Derivation Strategy)
02 Change
Assigns authorization to change
derivation strategies.
03 Display
Assigns authorization to display der
ivation strategies.
K_KEA_ALE (Profitability Analysis: ● CEERKRS (Operating concern) 01 Create or generate
Distribution) ● ACTVT (Activity)
02 Change
03 Display
16 Execute
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 133Authorization Object Field Value Description
64 Generate
K_KEA_TC (Profitability Analysis: ● ACTVT (Activity) 01 Create or generate Assigns authori
Maintain Operating Concern) zation to create operating concerns.
02 Change
Assigns authorization to change op
erating concerns.
03 Display
Assigns authorization to display op
erating concerns.
06 Delete
Assigns authorization to delete op
erating concerns.
60 Import
Assigns authorization to import op
erating concerns.
67 Translate
Assigns authorization to translate
operating concerns.
D1 Copy
Assigns authorization to copy oper
ating concerns.
K_KEA_NET (Profitability Analysis: ● CEERKRS (Operating concern) 01 Create or generate
Realignments) ● ACTVT (Activity) Assigns authorization to create,
change, and test realignments.
03 Display
Assigns authorization to display and
test realignments.
16 Execute
Assigns authorization to execute re
alignments including scheduling and
starting background jobs.
K_KEA_ERG (Profitability Analysis: ● CEERKRS (Operating concern)
Set Operating Concern)
Security Guide for SAP S/4HANA 1709
134 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
K_KEDT_TC (Profitability Analysis: ● ACTVT (Activity) 02 Change
Transfer Data to CO-PA) Assigns authorization to customize
the transfer of data.
16 Execute Assigns authorization to
transfer external actual data and
plan data and post SD billing data.
58 Display takeover
K_KEB_BER (Profitability Report: ● CEERKRS (Operating concern) 02 Change
Authorization Objects) ● ACTVT (Activity)
03 Display
K_KEB_RC (Profitability Report: ● CEERKRS (Operating concern) 01 Create or generate
Forms) ● CEFORM (Form)
● ACTVT (Activity) 02 Change
03 Display
21 Transport
60 Import
K_KEB_REP (Profitability Report: ● CEERKRS (Operating Concern) 01 Create or generate
Report Name) ● CEREPID (Report) Assigns authorization to create re
● ACTVT (Activity) ports.
02 Change
Assigns authorization to change re
ports including saving the report
structure from the list.
03 Display
Assigns authorization to display re
ports.
04 Print, edit messages
Assigns authorization to print re
ports.
16 Execute
Assigns authorization to execute re
ports.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 135Authorization Object Field Value Description
21 Transport
Assigns authorization to transport
reports.
28 Display line items
Assigns authorization to execute re
ports and display line items from the
report list.
32 Save
Assigns authorization to save the re
port list with data.
60 Import
Assigns authorization to import re
ports from client 000.
61 Export
Assigns authorization to export re
ports.
L0 All functions
L1 Function range level 1
L2 Function range level 2
K_KEB_TC (Profitability Reports) ● ACTVT (Activity) 01 Create or generate
Assigns authorization to create re
ports and change key figure
scheme.
02 Change
Assigns authorization as follows:
● To change and delete reports
● Test monitor for profitability re
ports
● Assign a hierarchy for account-
based CO-PA
● Maintain variables
● Maintain the report tree
Security Guide for SAP S/4HANA 1709
136 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
03 Display
Assigns authorization to display re
ports.
16 Execute
Assigns authorization to execute re
ports.
65 Reorganize
Assigns authorization to reorganize
the following:
● Report data
● Reports
● Forms
● Layouts
66 Refresh
Assigns authorization to update re
ports and schedule variant groups.
B3 Derive
Assigns authorization to carry out
characteristic derivation before au
thorization checks for CO-PA au
thorizations.
K_KC_DB_VS (SAP-EIS Authoriza ● CFASPET (Aspect (application Assigns authorization for the as
tion for Data Basis Version & area)) pect, version, and plan/actual indi
Plan/Act Ind.) ● CFVERSION (Version) cator.
● CFPLANT (Plan/Act. indicator
(EC-EIS/EC-BP))
● CFOKCOD (EC-EIS/BP function
code)
K_KC_PR (SAP-EIS: Authorization ● CFHIEID (User group)
for Presentation) ● CFLFDID (Sequence number
for hierarchical node)
● CFREPID (Report)
● CFJDEST (Stroage place of
SAP-EIS report)
● CFOKCOD (EC-EIS/BP function
code)
● TCD (Transaction Code)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 137Authorization Object Field Value Description
K_KC_PBR (SAP-EIS: Authorization ● CFASPET (Aspect (application 02 Change
for Presentation Objects) area))
Assigns authorization to create and
● ACTVT (Activity) change an authorization object.
03 Display
Assigns authorization to display an
authorization object.
K_TEST (Test) ● ACTVT (Activity)
K_TP_VALU (Transfer Price Valua ● KOKRS (Controlling Area) 02 Change
tions) ● VALUTYP (Valuation View) Assigns authorization to change the
● ACTVT (Activity) valuation view.
03 Display
Assigns authorization to display the
valuation view.
10 Post
The table below shows the security-relevant authorization objects that are used by the Controlling component but
are only needed for industry solutions.
Standard Authorization Objects
Table 65:
Authorization Object Field Value Description
K_PRICE001 (Authorization for ● BUKRS (Company Code) 02 Change
Price Maintenance, Catch Weight ● WERKS (Plant)
Solution) ● CWPRICLABL (Price Type) 03 Display
● ACTVT (Activity)
K_PRS_LS (CO Authorization for ● PRCTR (Profit Center) 02 Change
Prof. Services Lean Staffing) ● ACTVT (Activity)
03 Display
06 Delete
The table below shows the security-relevant authorization objects that are used by the Controlling component but
are only needed for industry solutions.
Standard Authorization Objects
Security Guide for SAP S/4HANA 1709
138 P U B L I C SAP S/4HANA Business ApplicationsTable 66:
Authorization Object Field Value Description
K_PEP (CO Authorization Object for ● ACTVT (Activity) 06 Delete
Period-End Partner (PEP)) Assigns authorization to delete log
entries in the Period-End Partner
(PEP).
13 Execute
K_MLNUSER (CO Material Ledger: In ● BWKEY (Valuation area) Assigns authorization to close the
dividual settlement; (no longer material ledger for specific materials
used)) and display material ledger master
data.
K_MLPUSER (CO Material Ledger: ● BWKEY (Valuation area) Assigns authorization to close the
Plant settlement (no longer used)) material ledger for a plant and carry
out exact analyses of data.
For general information on the authorizations in Controlling, see the documentation for Controlling on the SAP
Help Portal at http://help.sap.com under Methods in Controlling Authorizations and under Accounting
Controlling (CO) Profitability Analysis (CO-PA) Information System Authorization Objects in the Information
System . Information on the authorizations for the Controlling functions in Manager Self-Service (MSS) and for
the role of the Business Unit Analyst (BUA) can be found in this Security Guide under Cross-Application
Components and then Self-Services.
Critical Combinations
The critical combinations for Controlling are as follows:
● The roles for Controlling are based on the area menus rather than on U.S. Sarbanes-Oxley Act compliance.
● The master data folders in each transaction should be assigned to a master data officer rather than to a
controlling end user to ensure the integrity of the data.
● In the planning transaction, authorizations can be assigned to many users.
● In addition to maintaining authorizations for managers, you should consider using the personalization
framework for manager self-service.
The table below shows the roles that also contain authorization for logistics.
Standard Authorization Objects that Contain Authorization for Controlling and Logistics
Table 67:
SAP_EP_RW_CO_KKAM FI - CO - Product Cost by Sales Order
SAP_EP_RW_CO_KKPM FI - CO - Product Cost by Period
SAP_EP_RW_CO_KKSM FI - CO - Product Cost by Order
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 139SAP_EP_RW_CO_CK00 FI - CO - Product Cost Planning
13.3.2.2 Profit Center Accounting (EC-PCA)
Important SAP Notes
The following composite SAP Note contains important information about the security of the Profit Center
Accounting (EC-PCA) component:
Table 68:
Title SAP Note
Composite SAP note: Security of Enterprise Controlling 1518587
Authorizations
Standard Roles
The following table shows the standard roles that are used by the component.
Table 69:
Role Description
SAP_AUDITOR_BA_EC_PCA AIS – Profit Center Accounting
SAP_AUDITOR_BA_EC_PCA_A AIS – Profit Center Accounting (Authorizations)
SAP_EC_PCA_ARCHIVING Profit Center Accounting Archiving
SAP_EC_PCA_MODEL Maintain Cycles for Assessment, Distribution, and Reposting
(EC-PCA)
SAP_EC_PCA_MODEL_TP_DISPLAY Display Transfer Prices
SAP_EC_PCA_MODEL_TP_MAINTAIN Maintain Transfer Prices
SAP_EC_PCA_OBJECT_DISPLAY Display Profit Center Master Data
SAP_EC_PCA_OBJECT_MAINTAIN Maintain Profit Center Master Data
SAP_EC_PCA_PEREND Period-End Closing in Profit Center Accounting
SAP_EC_PCA_PEREND_POSTINGS Data Entry for Profit Center Accounting
Security Guide for SAP S/4HANA 1709
140 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_EC_PCA_PLAN_CLOSING Plan Closing in Profit Center Accounting
SAP_EC_PCA_REPORT Profit Center Accounting – Line Items and Totals Records
SAP_EC_PCA_REPORT1 Profit Center Accounting – Drilldown Reports
SAP_EC_PCA_REPORT2 Profit Center Accounting – Report Painter Reports
SAP_EC_PCA_REPORT3 Profit Center Accounting – Reports from Other Components
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used by the component.
Table 70:
Authorization Object Description
K_PCA EC-PCA: Responsibility Area, Profit Center
K_PCAB_DEL EC-PCA: Delete Transaction Data
K_PCAD_UM EC-PCA: Assessment/Distribution
K_PCAF_UEB EC-PCA: FI Data Transfer
K_PCAI_UEB EC-PCA: Actual Data Transfer
K_PCAL_GEN EC-PCA: Generate and Activate Ledger
K_PCAM_UEB EC-PCA: MM Data Transfer
K_PCAP_SET EC-PCA: Planning Hierarchy
K_PCAP_UEB EC-PCA: Plan Data Transfer
K_PCAR_REP EC-PCA: Summary and Line Item Reports
K_PCAR_SRP EC-PCA: Standard Reports and Datasets
K_PCAS_PRC EC-PCA: Profit Center
K_PCAS_UEB EC-PCA: SD Data Transfer
K_PCA_REAL EC-PCA: Realignment for PrCtr Assignments to CO Master
Data
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 14113.3.2.3 Network and Communication Security
Controlling is integrated with Microsoft Office . For information on security aspects with Microsoft Office
applications, refer to the documentation of those products.
Communication in Manager Self-Service (MSS) and in the Web Application for the Business Unit Analyst (BUA) is
based on Remote Function Calls (RFCs).
13.3.2.3.1 Communication Destinations
Technical users are required for communication over ALE, for batch reporting, and for third-party providers that
access Controlling data.
13.3.2.4 Joint Venture Accounting
13.3.2.4.1 Authorizations
Standard Roles
The table below shows the standard roles that are used by JVA.
Table 71:
Role Description
SAP_EP_RW_GJVP RW - Joint Venture Accounting
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by JVA.
Table 72:
Authorization Object Description
J_JVA_CUS Joint Venture Accounting: Customizing
J_JVA_JOA Joint Venture Accounting: Joint Operating Agreement Master
Security Guide for SAP S/4HANA 1709
142 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
J_JVA_PRC Joint Venture Accounting: Processing
J_JVA_REP Joint Venture Accounting: Reporting
J_JVA_VNT Joint Venture Accounting: Venture Master
13.3.2.4.2 Communication Channel Security
Table 73:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Front-end client using SAP DIAG All application data For example, passwords,
GUI for Windows to applica business data, credit card in
tion server formation
Front-end client using a Web HTTP(S) All application data For example, passwords,
browser to application server business data, credit card in
formation
Application server to applica RFC, HTTP(S) Integration data Business data, credit card in
tion server formation
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
13.3.3 Security Information for Governance, Risk and
Compliance
13.3.3.1 Security Information for International Trade
The following security information applies to SAP for S/4HANA for international trade only.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 14313.3.3.2 Introduction
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy regulation, it is necessary to consider compliance with industry-specific legislation in
different countries. SAP provides specific features and functions to support compliance with regards to relevant
legal requirements, including data protection. SAP does not give any advice on whether these features and
functions are the best method to support company, industry, regional, or country-specific requirements.
Furthermore, this information does not give any advice or recommendation in regards to additional features that
would be required in particular IT environments; decisions related to data protection must be made on a case-by-
case basis, under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by a
product feature. SAP software supports data protection compliance by providing security features and specific
data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP does not
provide legal advice in any form. Definitions and other terms used in this document are not taken from any
given legal source.
13.3.3.3 Glossary
Table 74:
Term Definition
Personal data Any information relating to an identified or identifiable natural
person ("data subject"). An identifiable natural person is one
who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental,
economic, cultural, or social identity of that natural person.
Purpose A legal, contractual, or in other form justified reason for the
processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the pur
pose starts.
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Deletion The irreversible destruction of personal data.
Security Guide for SAP S/4HANA 1709
144 P U B L I C SAP S/4HANA Business ApplicationsTerm Definition
Retention period The period of time between the end of purpose (EoP) for a
data set and when this data set is deleted subject to applica
ble laws. It is a combination of the residence period and the
blocking period.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).
Sensitive personal data A category of personal data that usually includes the following
type of information:
● Special categories of personal data such as data reveal
ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership and the
processing of genetic data, biometric data, data concern
ing health or sex life or sexual orientation
● Personal data subject to professional secrecy
● Personal data relating to criminal or administrative of
fenses
● Personal data concerning insurances and bank or credit
card accounts
Residence period The period of time after the end of purpose (EoP) for a data
set during which the data remains in the database and can be
used in case of subsequent processes related to the original
purpose. At the end of the longest configured residence pe
riod, the data is blocked or deleted. The residence period is
part of the overall retention period.
Where-used check (WUC) A process designed to ensure data integrity in the case of po
tential blocking of business partner data. An application''s
where-used check (WUC) determines if there is any depend
ent data for a certain business partner in the database. If de
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part
ners referenced in the data is prevented.
Consent The action of the data subject confirming that the usage of his
or her personal data shall be allowed for a given purpose. A
consent functionality allows the storage of a consent record in
relation to a specific purpose and shows if a data subject has
granted, withdrawn, or denied consent.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 14513.3.3.4 Read Access Logging
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be
categorized as sensitive by law, by external company policy, or by internal company policy. These common
questions might be of interest for an application that uses Read Access Logging:
● Who accessed the data of a given business entity, for example a bank account?
● Who accessed personal data, for example of a business partner?
● Which employee accessed personal information, for example religion?
● Which accounts or business partners were accessed by which users?
These questions can be answered using information about who accessed particular data within a specified time
frame. Technically, this means that all remote API and UI infostructures (that access the data) must be enabled
for logging.
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions. SAP delivers sample configurations for applications. The application component scenario logs data in
order to describe business processes. You can find the configurations as described in this chapter.
For the following configurations, fields are logged in combination with additional fields in the following buiness
contexts:
Read Access Logging is currently limited to the following channels, however:
● Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgFRC)
● Dynpro (dynpro fields, ALV Grid, ABAP List, F4)
● Web Dynpro
● Web services
● Gateway (for oData)
13.3.3.5 Deletion of Personal Data
● Simplified Blocking and Deletion: In addition to compliance with the general data protection regulation, it is
necessary to consider compliance with industry-specific legislation in different countries. A typical potential
scenario in certain countries is that personal data shall be deleted after the specified, explicit, and legitimate
purpose for the processing of personal data has ended, but only as long as no other retention periods are
defined in legislation, for example, retention periods for financial documents. Legal requirements in certain
scenarios or countries also often require blocking of data in cases where the specified, explicit, and legitimate
purposes for the processing of this data has ended, but the data has to be retained in the database due to
other legally defined retention periods. In some scenarios, personal data also includes referenced data.
Therefore, the challenge for deletion and blocking is to first handle referenced data and finally other data,
such as business partner data.
● Deletion of personal data: The handling of personal data is subject to applicable laws related to the deletion of
such data at the end of purpose (EoP). If there is no longer a legitimate purpose that requires the use of
Security Guide for SAP S/4HANA 1709
146 P U B L I C SAP S/4HANA Business Applicationspersonal data, it must be deleted. When deleting data in a data set, all referenced objects related to that data
set must be deleted as well. It is also necessary to consider industry-specific legislation in different countries
in addition to general data protection laws. After the expiration of the longest retention period, the data must
be deleted.
The S/4HANA for international trade might process data (personal data) that is subject to the data protection
laws applicable in specific countries as described in SAP Note 1825544 .
To enable even complex scenarios, SAP simplifies existing deletion functionality to cover data objects that are
personal data by default. For this purpose, SAP uses SAP Information Lifecycle Management (ILM) to help you set
up a compliant information lifecycle management process in an efficient and flexible manner. The functions that
support the simplified blocking and deletion of personal data are not delivered in one large implementation, but in
several waves. Scenarios or products that are not specified in SAP Note 1825608 (central Business Partner)
and SAP Note 2007926 (ERP Customer and Vendor) are not yet subject to simplified blocking and deletion.
Nevertheless, it is also possible to destroy personal data for these scenarios or products. In these cases, you have
to use an existing archival or deletion functionality or implement individual retention management of relevant
business data throughout its entire lifecycle. The SAP Information Lifecycle Management (ILM) component
supports the entire software lifecycle including the storage, retention, blocking, and deletion of data.
This product uses SAP ILM to support the deletion of personal data as described in the following sections:
SAP delivers an end of purpose check for the product.
SAP delivers a where-used check (WUC) for the product.
All applications register either an end of purpose check (EOP check) in the Customizing settings for the blocking
and deletion of application data (for example, the customer and vendor master or the business partner) or a WUC.
For information about the Customizing of blocking and deletion for this product, see Configuration: Simplified
Blocking and Deletion.
End of Purpose Check (EoP check)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases:
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with legal
rules for retention, the data must still be available. In phase three, the relevant data is blocked.
Blocking of data prevents the business users of SAP applications from displaying and using data that may include
personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data.
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 147● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
Where-Used Check (WUC)
A where-used check is a simple check to ensure data integrity in case of potential blocking. The WUC for this
product checks whether any dependent data for a customer, vendor, or central business partner (cBP) exists in
the respective table. If dependent data exists, that is, if the data is still required for business activities, the system
does not block that specific customer, vendor, or cBP.
If you still want to block the data, the dependent data must be deleted by using the existing archival and deletion
tools or by using another customer-specific solution.
13.3.3.5.1 Deletion of Personal Data in International Trade
International Trade might process data (personal data) that is subject to the data protection laws applicable in
specific countries.
Note
SAP S/4HANA for internalional trade does not use Information SAP Information Lifecycle Management
(ILM) to control the blocking and deletion of personal data. SAP S/4HANA for international trade uses SAP
Business Partner (BP) instead to control the blocking and deletion of personal data.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
defining the settings for blocking. Choose Customizing, then Cross-Application Components under Data
Protection.
13.3.3.5.1.1 Intrastat-Declarations
Personal data of the contact person of the provider of information, for example first name, last name and e-mail
address, is written into Intrastat declaration files to be compliant with the file formats defined by authorities.
These file formats are country-specific and can be changed by authorities at any time.
Intrastat declaration files are saved outside the SAP S/4HANA system. Therefore, the management of those files
and the deletion of personal data in those files must be done outside the SAP S/4HANA system.
Security Guide for SAP S/4HANA 1709
148 P U B L I C SAP S/4HANA Business Applications13.3.3.6 Authorizations in International Trade
International trade uses the authorization concept provided by the SAP NetWeaver for Application Server ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver for
Application Server ABAP also apply.
13.3.3.6.1 Business Catalogs in International Trade
Business catalogs are the central object for UI and authorization assignment to business users and for structuring
and organizing the menu and authorization maintenance. If a user is assigned to a business catalog, he gains
access to all apps included in the catalog and therefore requires the corresponding authorizations.
In On-Premise, business catalogs are defined by customers by composing the relevant apps based on their
specific requirements. Authorizations are determined via the Fiori-PFCG integration when entering the catalog in
the PFCG role menu. SAP delivers business catalogs as templates that customers may copy to create their own
content. To give users access to the apps, must assign them to the Business catalogs.
Business Catalogs
Business Catalog: SAP_SLL_BC_CLS_LEGCTRL
International Trade Classification - Legal Control
Apps
● Manage Control Classes
● Manage Control Groupings
● Classify Products - Legal Control
● Reclassify Products - Legal Control
Business Catalog: SAP_SLL_BC_CLS_CMMDTYCODE
International Trade Classification - Commodity Codes
Apps
● Manage Commodity Codes
● Classify Products – Commodity Codes
● Reclassify Products – Commodity Codes
Business Catalog: SAP_SLL_BC_CLS_ISSRVCCODE
International Trade Classification - Intrastat Service Codes
Apps
● Manage Intrastat Service Codes
● Classify Products – Intrastat Service Codes
● Reclassify Products – Intrastat Service Codes
Business Catalog: SAP_SLL_BC_INTRASTAT_DECLN
Intrastat - Declaration Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 149Apps
● Manage Intrastat Service Codes
● Classify Products – Intrastat Service Codes
● Reclassify Products – Intrastat Service Codes
Business Catalog: SAP_SLL_BC_INTRASTAT_SEL
Intrastat - Selection Report Execution
Apps
● Select Dispatches and Customer Returns
● Select Receipts and Returns to Supplier
Business Catalog: SAP_SLL_BC_LICENSE_MANAGE
International Trade Compliance - License Management
Apps
● Manage Licenses
Business Catalog: SAP_SLL_BC_CMPLCDOC_MANAGE
International Trade Compliance - Document Management
Apps
● Resolve Blocked Documents - Trade Compliance
● Manage Documents - Trade Compliance
13.3.3.6.1.1 Display Business Catalog in International Trade
You can manage authorization fields in PFCG role by using transaction PFCG. The authorization field is used in
Business Partner display catalog.
Business Catalog: SAP_CMD_BC_BP_DISP
Master Data - Business Partner Display
Table 75:
Authorization Object Description Authorization Field
B_BUPA_GRP Authorization Group for Business Part BEGRU
ners
B_BUPA_RLT Business Partner Role RLTYP
Business Partner Display Catalog Used by Intrastat Apps (POI)
If you assign business catalog SAP_SLL_BC_INTRASTAT_DECLN in a backend role, you also assign business
catalog SAP_CMD_BC_BP_DISP in a backend role. Specify business partner role type B_BUPA_RLT with ACTVT =
03 & RLTYP = ''SLLSTL''. ''SLLSTL'' is the contact person created as provider of information.
Business Partner Display Catalog Used by Legal Control Apps
Security Guide for SAP S/4HANA 1709
150 P U B L I C SAP S/4HANA Business ApplicationsIf you assign business catalog SAP_SLL_BC_LICENSE_MANAGE in backend role, you also assign business catalog
SAP_CMD_BC_BP_DISP in a backend role.
.
13.3.3.6.1.2 Manage Authorization for Generic Service in
Business Catalog in International Trade
You can use the generic object services in the business catalog, to restrict application specific authorization fields
by following the documentation below.
13.3.3.6.1.2.1 Generic Object Services (GOS) attachment
service
Integration with attachment service for license master
Manual action required
1. 1. Assign Fiori catalog SAP_SLL_BC_LICENSE_MANAGE to PFCG role in backend.
2. Input value for authorization object S_GOS_ATT manually.
● BOROBJTYPE = ITRLICMSTR
● ACTIVITY = 02 and 06
13.3.3.6.1.2.2 Generic Service - Application Job SU22
Authorization Default
Integration with application job for Intrastat selection reports
Manual action required
1. Assign Fiori catalog to PFCG role.
2. 2Assign authorization default for selection reports.
● Transaction VE01 - Select SD Dispatches and Returns
● • Transaction MEIS - Select MM Receipts and Returns
13.3.3.6.2 Standard Authorization Objects in International
Trade
The following table shows the default authorization objects that you need for international trade.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 151Table 76:
Authorization Object Description
ITM_BUKRS Authorization for Company Code
ITM_LGREG Authorization for Legal Regulation
ITM_LMGM Authorization for Legal Regulation / License Type
/ECRS/RPHD Intrastat Declaration
/ECRS/POIA Provider of Information
/ECRS/SP Selection Program for Intrastat Reporting
ITM_CLS_NC Trade Classification: Auth. for Numbering Scheme Content
ITM_CLS_LR Trade Classification: Authorization for Legal Regulation
ITM_CLS_NS Trade Classification: Authorization for Numbering Scheme
For International Trade apps, you find the following authorization objects in the tables listed below:
Table 77:
Authorization Object App Name
ITM_CLS_NC Classify Products - Commodity Codes
Reclassify Products - Commodity Codes
Classify Products - Intrastat Service Codes
Reclassify Products - Intrastat Service Codes
Table 78:
Authorization Object App Name
ITM_CLS_LR Classify Products - Legal Control
ITM_CLS_NS Reclassify Products - Legal Control
Table 79:
Authorization Object App Name
ITM_CLS_NC Manage Control Classes
Table 80:
Authorization Object App Name
ITM_CLS_LR Manage Control Groupings
Security Guide for SAP S/4HANA 1709
152 P U B L I C SAP S/4HANA Business ApplicationsTable 81:
Authorization Object App Name
ITM_BUKRS Manage Licenses
ITM_LMGM
ITM_LGREG
ITM_CLS_NS
ITM_CLS_NC
S_GOS_ATT
Table 82:
Authorization Object App Name
ITM_BUKRS Resolve Blocked Documents - Trade Compliance
ITM_LGREG
ITM_CLS_NS
ITM_CLS_NC
Table 83:
Authorization Object App Name
ITM_BUKRS Manage Documents - Trade Compliance
ITM_LGREG
ITM_CLS_NS
ITM_CLS_NC
Table 84:
Authorization Object Transaction Name
/ECRS/SP MEIS: Select Receipts, Returns to Supplier
VE01: Select Dispatches, Customer Returns
13.3.3.6.3 Standard Roles in International Trade
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 153Note
For more information about how to create roles, see SAP NetWeaver Security Guide under User
Administration and Authentication.
13.3.3.6.3.1 Frontend Roles (Business Roles) - in International
Trade
International Trade uses the following Business Roles for the Frontend:
Table 85:
Portal Roles Description
SAP_BR_TRD_CLS_SPECIALIST International Trade Classification Specialist
SAP_BR_TRD_CMPLNC_SPECIALIST International Trade Compliance Specialist
SAP_BR_INTRASTAT_SPECIALIST Intrastat Specialist
13.3.3.6.3.2 Backend Roles in International Trade
We do not deliver backend roles. Instead, please integrate generic services into your backend roles (PFCG roles).
See Chapter Generic Object Services (GOS) attachment service.
13.3.4 Treasury and Financial Risk Management
13.3.4.1 SAP Bank Communication Management (incl. SAP
Integration Package for SWIFT)
About this Document
The Security Guide provides an overview of the specific security-relevant information that applies to the SAP Bank
Communication Management including the SAP Integration Package for SWIFT .
Security Guide for SAP S/4HANA 1709
154 P U B L I C SAP S/4HANA Business Applications13.3.4.1.1 Technical System Landscape
Use
SAP Bank Communication Management is responsible for the creation and approval of batches, the payment
status monitor and bank statement monitor. Use of the SAP Integration package for SWIFT is optional ; it provides
a file interface to the Swift Alliance Access/Alliance Gateway (SWIFT is not SAP software and not part of SAP Bank
Communication Management ).
The figure below shows an overview of the technical system landscape for SAP Bank Communication
Management .
For more information about recommended security zone settings, see SAP NetWeaver Security Guide (Complete)
on SAP Service Marketplace at http:// service.sap.com/securityguide .
13.3.4.1.2 User Management
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
The user types that are required for the SAP Bank Communication Management include:
● Individual users
Dialog users are used for SAP GUI for Windows connections.
● Technical users
Communication users are used for XI communication.
Standard Users
The table below shows the standard users that are necessary for operating the SAP Bank Communication
Management .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 155Table 86:
System User ID Type Password Description
SAP Bank Communica For example: Communication user You specify the initial
tion Management BRMXIUSER password during the in
stallation.
The user ID and pass
word are stored in the
XI channel for the con
nection.
XI Integration Server For example: Default user You specify the initial Member of user group
password during the in SWIFT_ADMINISTRA
SWIFTADMIN
stallation. TOR as described in the
SAP Integration
Package for SWIFT
Configuration Guide .
You need to create these users before XI configuration.
Assign role SAP_XI_IS_SERV_USER to user BRMXIUSER and role SWIFT_ADMINSTRATOR to user SWIFTADMIN.
Creation of role SWIFT_ADMINSTRATOR is described in the SAPIntegration Package for SWIFT Configuration
Guide .
13.3.4.1.3 Authorizations
Standard Roles
The table below shows the standard roles that are used by the SAP Bank Communication Management.
Table 87:
Role Description
SAP_XI_IS_SERV_USER Exchange Infrastructure: Integration Server Service User
SWIFT_ADMINSTRATOR Operating SWIFT interface. See Integration Package for
SWIFT Configuration Guide
SAP_BPR_CASH_MANAGER Cash Manager
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP Bank Communication
Management.
Security Guide for SAP S/4HANA 1709
156 P U B L I C SAP S/4HANA Business ApplicationsTable 88:
Authorization Object Description
F_FEBB_BUK Company Code Bank Statement
F_REGU_BUK Automatic Payment: Activity Authorization for Company Co
des
13.3.4.1.4 Communication Destinations
The table below shows an overview of the communication destinations used by SAP Bank Communication
Management .
Table 89:
Destination Delivered Type User, Authorizations
INTEGRATION_SERVER No RFC XIAPPLUSER
Role
SAP_XI_APPL_SERV_USER
LCRSAPRFC No RFC
SAPSLDAPI No RFC
These destinations are not application-specific but they are required for the operation of the Exchange
Infrastructure.
13.3.4.1.5 Data Storage Security
Master and transaction data of SAP Bank Communication Management is saved in the database of the SAP
system in which SAP Bank Communication Management is installed.
Access to this data is restricted through the authorizations for authorization object F_STAT_MON. You can add this
authorization object to the role or user that is used by you for payment medium creation.
Payment order related transaction data is distributed to connected systems using XI, especially if the optional
Integration Package for SWIFT is used.
Access to data on natural persons in particular is subject to data protection requirements and must be restricted
by assigning authorizations.
Using Logical Path and Filenames to Protect Access to the File System
SAP Bank Communication Management saves data in files in the file system. Therefore, it is important to explicitly
provide access to the corresponding files in the file system without allowing access to other directories or files
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 157(also known as directory traversal). This is achieved by specifying logical paths and file names in the system that
map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a
directory that does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by SAP Bank Communication Management and for
which programs these file names and paths apply:
Logical File Names Used in SAP Bank Communication Management
The following logical file names have been created in order to enable the validation of physical file names:
● FI_RFEBKAT0_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBKAT0
● FI_RFEBKATX_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBKATX
● FI_RFEBKAT1_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBKAT1
● FI_RFEBEST0_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBEST0
● FI_RFEBLBT1_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBLBT1
● FI_RFEBLBT2_FILE
○ Program using this logical file name and parameters used in this context:
○ RFEBLBT2
Parameters used in this context: Program name
Logical Path Name Used in SAP Bank Communication Management
The logical file names listed above all use the logical file path FI_FTE_TEST_FILES .
13.3.4.2 SAP In-House Cash (FIN-FSCM-IHC)
In the following sections you can find information about the specific security functions for the SAP In-House Cash
(FIN-FSCM-IHC) component.
In addition, you can access further information at the following places:
For information about the specific security functions for the component Bank Customer Accounts (IS-B‑BCA), see
Bank Customer Accounts (BCA) [page 700] in the Banking section.
Reason: SAP In-House Cash (FIN-FSCM-IHC) uses Bank Customer Accounts as the basis for various functions.
Security Guide for SAP S/4HANA 1709
158 P U B L I C SAP S/4HANA Business ApplicationsFor information about the specific security functions for the component Bank Accounting (FI-BL), see the under
Bank Accounting (FI-BL) [page 99] in the Banking section.
Reason: SAP In-House Cash (FIN-FSCM-IHC) uses various functions of Bank Accounting , such as the creation of
data media for central payments.
13.3.4.2.1 Security Aspects of Data, Data Flow and Processes
The following sections show an overview of the data flow in the processes of SAPIn-House Cash .
Note
The appropriate Security Guides apply for all of the external systems that you require when using the SAP In-
House Cash component. Include these Security Guides in your cross-application security concept.
13.3.4.2.1.1 Internal Payments
The figure below shows an overview of internal payments between two subsidiary companies and the transfer of
the balances to the general ledger.
The table below shows the security aspect to be considered for the process step and what mechanism applies.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 159Table 90:
Step Description Security Measure
1 Payment order User type: dialog user or technical user
(IDoc/ALE)
2a Bank statement User type: dialog user or technical user
(IDoc/ALE)
2b Bank statement User type: dialog user or technical user
(IDoc/ALE)
3 General ledger transfer; only relevant if User type: dialog user or technical user
SAP In-House Cash and the head office
are running in two different systems
(IDoc/ALE)
13.3.4.2.1.2 Head Office Payments
The following figure shows an overview of the data flow if the head office takes over the payments for the payables
of a single subsidiary company.
Security Guide for SAP S/4HANA 1709
160 P U B L I C SAP S/4HANA Business ApplicationsThe table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 91:
Step Description Security Measure
1 Payment order User type: dialog user or technical user
(IDoc/ ALE )
2 Payment order User type: dialog user or technical user
(IDoc/ ALE or RFC)
3 Bank statement User type: dialog user or technical user
(IDoc/ ALE )
4 General ledger transfer; only relevant if User type: dialog user or technical user
SAP In-House Cash and the head office
are running in two different systems
(IDoc/ ALE )
Note
The type of communication for the second step depends on your settings. If you have activated the In-House
Cash (Enterprise) (IHC_EP) application, then communication is by RFC. Otherwise it is by IDoc/ ALE . You can
find these settings in Customizing of SAP In-House Cash under Basic Settings → Business Transaction Events/
Event Control → Activate SAP Components .
13.3.4.2.1.3 Central Incoming Payments
The figure below shows an overview of an incoming payment that is intended for a subsidiary company of the
head office.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 161The table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 92:
Step Description Security Measure
1 Incoming payment via bank statement Access authorization via RFC user
(RFC)
2 Bank statement User type: dialog user or technical user
(IDoc/ALE)
3 General ledger transfer; only relevant if User type: dialog user or technical user
SAP In-House Cash and the head office
are running in two different systems
(IDoc/ALE)
13.3.4.2.1.4 Local Payments
The figure below shows an overview of the data flow if a subsidiary company uses the house bank of a different
subsidiary company for its payment that is located in the country of the payment recipient. This avoids having to
make a foreign payment. The process flow is similar to Head Office Payments [page 160] .
Security Guide for SAP S/4HANA 1709
162 P U B L I C SAP S/4HANA Business ApplicationsThe table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 93:
Step Description Security Measure
1 Payment order(IDoc/ALE) User type: dialog user or technical user
2 Payment order(IDoc/ALE) User type: dialog user or technical user
3 Bank statement(IDoc/ALE) User type: dialog user or technical user
4 General ledger transfer; only relevant if User type: dialog user or technical user
SAPIn‑House Cash and the head office
are running in two different sys
tems(IDoc/ALE)
13.3.4.2.2 Authorizations
Standard Roles
The table below shows the standard roles that are used by the SAP In-House Cash component. They contain the
maximum values of the authorizations.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 163Table 94:
Roles Description Comments
SAP_CFM_IHC_SUPERVISOR In-House Cash Supervisor Relevant for CFM 2.0
SAP_FSCM_IHC_SUPERVISOR FSCM In-House Cash Supervisor EA-Finserv 200 onwards
Authorization Objects
The table below shows the security-relevant authorization objects that are used by the SAP In-House Cash
component.
Table 95:
Authorization Objects Description
IHC_ACTION Authorizations for IHC activities
IHC_ROUTE Authorizations in route definition
IHC_CMSTAT Cash Management status of In-House Cash
F_PAYRQ Authorization object for payment requests
See also the Customizing activities in the SAP Customizing Implementation Guide (IMG). To do this, choose
SAP Reference IMG Financial Supply Chain Management In-House Cash Authorization Management. .
13.3.4.3 Cash and Liquidity Management
Network and Communication Security
Communication with external systems is possible using standard interfaces via BAPI, IDoc, and XI.
Communication Destinations
In certain cases, a technical user may be required for the use of BAPIs.
Authorizations
Access is protected by the authorization objects described in Authorizations [page 165].
Security Guide for SAP S/4HANA 1709
164 P U B L I C SAP S/4HANA Business ApplicationsInternet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For more
information, see Internet Communication Framework Security (ICF) [page 179].
Data Storage Security
You can use logical path and file names to protect access to the file system. For more information, see Data
Storage Security [page 180].
13.3.4.3.1 Authorizations
Cash and Liquidity Management uses the authorization concept delivered by SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS ABAP
security guide also apply to Cash and Liquidity Management.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For the
role maintenance for ABAP technology, use the profile generator (transaction PFCG).
Standard Roles
The following table shows the standard role that is used in Cash and Liquidity Management.
Table 96:
Role Description
SAP_BR_CASH_MANAGER Business catalog role for cash managers
SAP_BR_CASH_SPECIALIST Business catalog role for cash specialists
SAP_FIN_ANALIQUIDITYPLAN_APP Back-end role for liquidity plans
SAP_FIN_DEVLIQUIDITYPLAN_APP Back-end role for develop liquidity plans
SAP_FIN_LF90DAYS_SMB_APP Back-end role for liquidity forecast
SAP_FIN_ACF90DAYS_SMB_APP Back-end role for actual cash flow
SAP_SFIN_CASH_MANAGER Role for customers who choose to use SAP NetWeaver Busi
ness Client (NWBC) as the user interface for Bank Relation
ship Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 165Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used in Cash and Liquidity
Management.
Table 97:
Authorization Object Authorization Field Permitted Activities Description
B_BUPA_RLT ACTVT ● 01 Create or generate With this authorization ob
● 02 Change ject, you define which BP
Business Partner: BP Roles
● 03 Display roles can be edited.
RLTYP
BP Role Type
B_BUPR_BZT ACTVT ● 01 Create or generate With this authorization ob
ject, you define which BP with
Business Partner Relation ● 02 Change
specific authorization groups
ships: Relationship Categories ● 03 Display
● 06 Delete can be displayed.
RLTYP
BP Role Type
B_BUPR_GRP ACTVT ● 03 Display With this authorization ob
ject, you establish which rela
Business Partner: Authoriza BERGU tionship categories can be
tion Groups
processed.
CA_POWL POWL_APPID POWL-FCLM-BAM-INBOX-WI Application ID of POWL iView
(as specified in Application
Authorizations for the Personal
Parameters in the iView prop
Object Worklist (POWL) iViews.
erties)
POWL_CAT 03 The user is not allowed to re-
assign queries or change the
query order.
POWL_LSEL It determines if the user is al
lowed to select the layout
style (either one entry in a hy
per-link matrix or one tabstrip
per query) for the POWL
iView
Security Guide for SAP S/4HANA 1709
166 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
POWL_QUERY ● 01 ● 01 The user is allowed to
● 02 create/change/delete
● 03 own queries for all POWL
object types assigned to
him (c.f. customizing ta
bles POWL_TYPE_USR
and POWL_TYPE_ROL).
● 02 the user is only al
lowed to create own
queries on the basis of
admin queries assigned
to him via customizing
tables POWL_TYPE_USR
and POWL_TYPE_ROLre
spectively. (Note: this is
also subjected to the
user - POWL object type
assignments)
● 03 (and other values):
the user is only allowed
to change admin queries
assigned to him with re
spect to the select op
tions restrictions of
those admin queries
(thus creating one own
"derivation" per admin
query transparently)
POWL_RA_AL It determines if the user gains
access to a "Refresh all" but
ton, which triggers a parallel
ized refresh for all queries
which are active on the POWL
iView identified by
POWL_APPLID. Note this may
cause high system load on
the application server group
used for refreshes on this
POWL iView.
POWL_TABLE It determines if the user is al
lowed to personalize the
query result table settings
(define column order, hide
columns, etc.).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 167Authorization Object Authorization Field Permitted Activities Description
F_BNKA_MAN ACTVT ● 01 Create or generate This object controls the au
thorizations for maintaining
Banks: General Maintenance ● 02 Change
Authorization ● 03 Display bank master data.
F_CLM_BAM ACTVT ● 01 Create or generate: This authorization object is
Create new bank ac used for controlling the au
Authorization for Bank Account count master records thorizations of Bank Account
Management
● 02 Change: Change Master Data maintenance.
bank account master re This authorization object is
cords assigned to the standard role
● 03 Display: Display bank Cash Manager by default.
account master records
● 06 Delete: Delete inac
tive bank account mas
ter records
● 31 Confirm: Review bank
account master records
● 63 Activate: Activate a
bank account revision in
dual control mode
● 69 Discard: Close bank
accounts
● C5 Reopen: Reopen a
closed bank account
FCLM_ACTY
Bank Account Type ID
FCLM_BUKRS
Company Code
FCLM_GSBER
Business Area
FCLM_KOKRS
Controlling Area
FCLM_PRCTR
Profit Center
FCLM_SGMT
Segment for Segmental Re
porting
Security Guide for SAP S/4HANA 1709
168 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
F_CLM_BAH2 ACTVT ● 01 Create or generate This authorization object is
used for controlling the au
Bank Account Hierarchy ● 02 Change
● 03 Display thorizations of bank hierar
● 06 Delete chy and bank account group
maintenance.
HIERTYPE
Hierarchy Type
PUBLICHIER
Public Flag for Hierarchy
F_CLM_UP ACTVT 01 Create or generate: Cre This authorization object con
ate or update bank account trols the authorization of us
Authorization for Import and
master data ing the Import and Export
Export Bank Accounts
Bank Accounts tool to create
or update bank account mas
ter data by importing bank
accounts from an XML file.
F_BNKA_MAO ACTVT ● 01 Create or generate This authorization object con
● 02 Change trols the authorizations for
Banks: General Maintenance
Authorization by Country ● 03 Display maintaining bank master
data. The authorizations can
BBANKS be assigned according to the
country.
Bank country
F_STAT_MON BNK_ACT READ Read and display batch This authorization object con
trols in the transactions to
Bank Relationship: Status Mon or batch item.
monitor and approve pay
itor authorizations
ment batches, which batches
the user is allowed to display
or to process.
BNK_RULE
Rule ID
BNK_ITMDET * Display and process on item
level (marked) or only on
Action on item level allowed
batch level (not marked) No
(display, reject, resubmit)
tice that field BNK_ITMDET
determines whether or not
the user is authorized to dis
play, reject, or return single
payments contained in a
batch.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 169Authorization Object Authorization Field Permitted Activities Description
F_BNKA_BUK ACTVT ● 02 Maintain (create or This object controls the au
change) thorizations for maintaining
Banks: Authorization for Com
pany Codes ● 03 Display house banks and bank ac
counts in a company code.
BUKRS
Company code
F_REGU_BUK BUKRSCompany Code Using this authorization ob
ject, you determine which ac
Automatic Payment: Activity FBTCH 23 Maintain tivities are allowed for the
Authorization for Company Co
des Action for Automatic Proce payment program. The object
dures in Financial Accounting consists of the Company
Code and Activity fields.
You can call up the possible
keys for the Activity field
with the Environment
menu option in the request
screen of the payment pro
gram.
F_FEBB_BUK ACTVT ● 03 Display This authorization object
controls the authorizations
Company Code Bank State BUKRS for maintaining bank state
ment
Company code ments in a company code. A
user who would like to display
Bank Statement reports us
ing Cash and Liquidity Man
agement should have Bank
Statement display authoriza
tion. This authorization object
is assigned to the standard
role Cash Manager by default.
F_FDES_BUK ACTVT ● 01 Create or generate With this authorization ob
ject, you can check the au
Cash Management and Fore ● 02 Change
cast: Company Code Memo Re ● 03 Display thorizations to maintain Cash
Management and Forecast
cords BUKRS $GSBER payment advice and planned
items in a company code.
Company code
F_FDES_GSB ACTVT ● 01 Create or generate With this authorization ob
ject, you can check the au
Cash Management and Fore ● 02 Change
cast: Business Area Memo Re ● 03 Display thorizations to maintain Cash
Management and Forecast
cords
payment advice and planned
Security Guide for SAP S/4HANA 1709
170 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
GSBERBusiness Area $GSBER items in a business area (not
business area SPACE).
At this level you define
whether a user may create,
change or display individual
payment advice or planned
items of a business area.
F_FDSB_BUK ACTVT ● 01 Create or generate With this authorization ob
ject, you control the authori
Cash Position: Company Code ● 02 Change
zations to maintain summary
Summary Records ● 03 Display
● 16 Execute records for the cash manage
ment position (Cash Manage
BUKRSCompany Code $BUKRS ment) in a company code.
At this level you define
whether a user may create,
change or display summary
records of a company code.
Display authorization is need
to display the cash manage
ment position of a company
code.
F_FDSB_GSB ACTVT 03 Display This object controls the au
thorizations to maintain the
Cash Position: Business Area GSBERBusiness Area $GSBER summary records for the
Summary Records
cash management position
(Cash Management) in a
business area (except for
business area BLANK).
F_FDSR_BUK ACTVT ● 03 Display With this authorization ob
ject, you control the authori
Liquidity Forecast: Company ● 16 Execute
zations to maintain the liquid
Code Summary Records BUKRSCompany Code $BUKRS ity forecast (Cash Forecast)
summary records in a com
pany code.
At this level you define
whether a user may display
or execute liquidity forecast
summary records of a com
pany code. Display authoriza
tion is necessary for display
ing the liquidity forecast.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 171Authorization Object Authorization Field Permitted Activities Description
F_FDSR_GSB ACTVT ● 03 Display With this authorization ob
ject, you control the authori
Liquidity Forecast: Business GSBERBusiness Area $GSBER zations to maintain the liquid
Area Summary Records
ity forecast (Cash Forecast)
summary records in a busi
ness area (except for busi
ness area BLANK).
At this level you define
whether a user may display
or execute liquidity forecast
summary records of a busi
ness area. Display authoriza
tion is necessary for display
ing the liquidity forecast of a
business area.
F_BKPF_BUK ACTVT ● 03 Display With this authorization ob
ject, you determine in which
Accounting Document: Authori BUKRSCompany Code $BUKRS company codes documents
zation for Company Codes
can be processed. An em
ployee can only call up the
functions for posting if
he/she has this authorization
in at least one company code.
The object consists of the
Company code and Activity
fields. You take the possible
input values for the Activity
field from table TACTZ.
F_KNA1_GEN ACTVT 03 Display This authorization object con
trols which activities are per
Customer: Central Data
mitted for the general data.
The general data consists of
the fields that are independ
ent of the company code and
the sales organization.
F_LFA1_GEN ACTVT 03 Display This authorization object con
trols which activities are per
Vendor: Central Data
mitted for the general data.
The general data consists of
the fields that are independ
ent of the company code and
the sales organization.
Security Guide for SAP S/4HANA 1709
172 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
F_PAYRQ ACTVT ● 01 Create or generate This authorization is used
Authorization Object for Pay ● 02 Change when payment requests are
ment Requests ● 03 Display created, displayed, and re
● 43 Release versed.
The Release (43) activity
is also checked after
corresponding activa
tion according to SAP
Note 2150759.
● 85 Reverse
BUKRS $BUKRS
Company Code
ORIGIN TR-CM-BT
Origin Indicator
F_REGU_KOA KOARTAccount type $KOART Using this authorization ob
ject, you determine which ac
Automatic Payment: Activity FBTCHAction for Automatic tivities are allowed for the
Authorization for Account Procedures in Financial Ac payment program for which
Types counting account types (D for cus
tomer, K for vendor, and S for
G/L accounts). The object
consists of the Account
type and Activity fields.
You can call up the possible
keys for the Activity field
with the Environment
menu option in the request
screen of the payment pro
gram.
FQM_FLOW ACTVT ● 01 Create or generate With this authorization ob
ject, you can control the ac
Financial Quantity Management ● 03 Display
BUKRS ● 06 Delete cess to the data stored in the
Company Code ● 25 Reload One Exposure from Opera
tions hub.
FQM_ORIGAP
Source Application
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 173Authorization Object Authorization Field Permitted Activities Description
S_RS_COMP ACTVT ● 16 Execute With this authorization ob
ject, you can restrict the com
Business Explorer - Compo
ponents that you work with in
nents
the Business Explorer query
definition.
RSINFOAREA 2O-FI InfoArea: Determines which
InfoAreas a given user is al
lowed to process.
RSINFOCUBE 2CILFOBALWLIBAL InfoCube: Determines which
InfoCubes a given user is al
lowed to process.
RSZCOMPTP REP Component type: Determines
which components a given
user is allowed to process.
RSZCOMPID 2CCLFCASTANLYTS Name (ID) of a reporting
component: Determines
which components (accord
ing to name) a given user is
allowed process.
S_RS_COMP1 ACTVT ● 16 Execute With this authorization ob
ject, you can restrict query
Business Explorer - Compo
component authorization
nents: Enhancements to the
with regards to the owner.
Owner
This authorization object is
checked in conjunction with
the authorization object
S_RS_COMP.
RSZCOMPID 2CCLFCASTANLYTS Name (ID) of a reporting
component: Determines
which components (accord
ing to name) a given user is
allowed process.
RSZCOMPTP REP Type of reporting compo
nent: determines which com
ponent types are allowed to
be edited by the user.
RSZOWNER * Reporting component owner:
determines whose compo
nents are allowed to be edited
by the user.
Security Guide for SAP S/4HANA 1709
174 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
S_SERVICE ACTVT ● 16 Execute This authorization object is
automatically checked when
Check at Start of External Serv SRV_NAME ● 84A2886C6DA699EF0F external services are started
ices 0F4083ADC455
Hash value of the external (not yet for all service types).
● C_LFCASTANALYTICS_
service The Profile Generator auto
CDS 0001 matically assigns authoriza
● AB088B10113EAC3BC6 tions if an external service is
349F4E933053 entered in a role menu.
● /SSB/
SMART_BUSINESS_RUN
TIME_SRV 0001
SRV_TYPE TADIR OBJECT Type of the external service
S_RS_AO RSAP_OBJID You can use this authoriza
Authorization for Liquidity Plan Analysis Office Technical tion object to define user au
Name thorizations for using Liquid
ning in Analysis Office
ity Planning in SAP Busines
RSAO_OBJTY sObjects Analysis, edition for
Analysis Client Object Type Microsoft Office.
RSZOWNER
Owner (Person Responsible)
for a Reporting Component
ACTVT ● 01 Create or generate
● 02 Change
● 03 Display
● 06 Delete
● 16 Execute
S_RS_AUTH BIAUTH 0F_AUTH_RP1 This authorization object is
used to make analysis au
BI Analysis Authorizations in
thorizations available in the
Role
SAP NetWeaver standard
roles.
The values in field BIAUTH
are authorization names from
the analysis authorizations.
They can be selected using
input help (F4).
RSBPC_BBPF ACTVT ● 03 Display With this authorization ob
Manage and use BPF ● 16 Execute ject, you can define the au
● 23 Maintain thorizations of business proc
● 16 Execute ess flow.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 175Authorization Object Authorization Field Permitted Activities Description
RSBPC_APPS 0FCLM_LP_ENV
Environment ID
RSBPC_TMPL FCLM_LP_PROCESS
BPF Template ID
RSBPC_ENVM ACTVT ● 03 Display Authorization object that is
Manage environment ● 23 Maintain checked when an environ
ment is viewed or maintained.
RSBPC_APPS 0FCLM_LP_ENV
Environment ID
RSBPC_ID RSBPC_APPS 0FCLM_LP_ENV Authorization object that is
checked when it is necessary
Grant user access to a BPC en Environment ID
to find out whether a user is
vironment
assigned to an environment.
RSBPC_MODL ACTVT ● 03 Display Authorization object that is
Manage model ● 23 Maintain checked when a model is
● A3 Change status viewed or maintained.
RSBPC_APPS 0FCLM_LP_ENV
Environment ID
RSBPC_APPL FCLM_LP_PROCESS
Model ID
RSBPC_TEAM ACTVT ● 03 Display Authorization object that is
Manage team ● 23 Maintain checked when a team is
viewed or maintained.
RSBPC_APPS 0FCLM_LP_ENV
Environment ID
RSBPC_TEAM *
Team ID
RSBPC_USER ACTVT ● 03 Display Authorization object that is
Manage and use User ● 23 Maintain checked when a user is
viewed or maintained.
RSBPC_APPS 0FCLM_LP_ENV
Environment ID
RSBPC_USER *
User ID
Security Guide for SAP S/4HANA 1709
176 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
RSBPC_WKSP ACTVT ● 03 Display With this authorization ob
Manage resource ● 23 Maintain ject, you can define the au
thorizations of resources, in
cluding reports, input forms,
work spaces and so on.
RSBPC_APPS 0FCLM_LP_ENV
BPC: Environment ID
RSBPC_FLDR * Possible values:
BPC: Folder authorization ● PUBLIC: Live report
● NON_PUBLIC: Input form
RSBPC_RSTY * Possible values:
BPC: Resource Type ● LIVE_REPORT: Live re
port
● INPUT_FORM: Input form
● SUB_FOLDER: Subfolder
● EXCEL_INPUT_FORM: In
put form in Microsoft Ex
cel
● EXCEL_REPORT: Report
in Microsoft Excel
● ACTIVITY_WORKSPACE:
Workspace
● LINK: Link
● DASHBOARD: Dashboard
● WORKBOOK: Workbook
● BOOKS: Published books
● DOCUMENT: Assign the
user the authorization to
upload files
● DISTRIBUTION: "Distri
bution" folder under
team folder
● EEXCEL: "EExcel" folder
under public folder for
EPM add-in
● PUBLICATION: "Publica
tion" folder under team
folder
● XLTX: Book template
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 177Authorization Object Authorization Field Permitted Activities Description
S_BTCH_JOB JOBGROUP $JOBGROUP The authorization object con
sists of the authorization
Background Processing: Oper Summary of jobs for a group
fields JOBACTION and
ations on Background Jobs
● DELE JOBGROUP. JOBGROUP
JOBACTION
Delete other users'' must always have the value *.
Job Operations background jobs. Each of these permits the
● LIST user to perform different op
Not used erations on jobs. A user
● MODI WITHOUT ANY specific au
Modify other users'' jobs. thorization for jobs may per
● PLAN form the following actions:
Copy or repeat other ● Schedule jobs for which
users'' jobs the job class is C and
● PROT cannot be changed.
(No check) ● View and change steps
● RELE of his or her own jobs.
Release jobs (including ● Delete his or her own
your own) jobs.
● SHOW ● View the job details of his
Display definitions of or her own jobs.
other users'' jobs
If a user has an authorization
for the object S_BTCH_ADM,
he or she has full authoriza
tion for all jobs of all users.
S_PROGNAM P_ACTION BTCSUBMIT The object is used to supple
ment the start authorization
Generic Program Start User Action in ABAP Pro
check for programs. Authori
gram
zations for this object are
checked exclusively with
method
CL_SABE=>AUTH_CHECK_PR
OGNAM() in the context of
scenarios for switchable au
thorizations (maintenance
transaction SACF). The check
does not take place with each
submit command, but only if
is explicitly called. If the asso
ciated scenario is activated,
all programs are checked in
addition to the existing au
thorization checks (for exam
ple, with authorization
groups). You can assign au
Security Guide for SAP S/4HANA 1709
178 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Authorization Field Permitted Activities Description
P_PROGNAM ● /ATL/ thorizations for the following
F110_SCHEDULE_AFTE activities:
Program Name with Search R_RUN
Help ● Starting a program
● RBNK_PAYM_GRP_N_BA
TCH ● Scheduling a program to
run as a background job.
● SAPF111S
SAPFPAYM_MERGE ● Delete his or her own
jobs.
● SAPFPAYM_SCHEDULE
● Defining variants
13.3.4.3.2 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For Cash and
Liquidity Management, the following services are needed:
● Web Dynpro services
○ WDA_FCLM_BAM_ACC_MASTER
○ WDA_FCLM_BAM_ACC_REVIEW
○ WDA_FCLM_BAM_ADAPT_SIGN
○ WDA_FCLM_BAM_BANK_DATA
○ WDA_FCLM_BAM_CHGREQ
○ WDA_FCLM_BAM_HIERARCHY
○ WDA_FCLM_BAM_HIER_BP
○ WDA_FCLM_BAM_HIER_MAINTAIN
○ WDA_FCLM_BAM_MASS_CHANGE
○ WDA_FCLM_BAM_REVIEW_REPORT
○ WDA_FCLM_BAM_REQOVERVIEW
○ WDA_FCLM_REPORT
○ WDA_FCLM_UPLOAD_DOWNLOAD
○ WDA_FCLM_BAM_SENTITEMS
○ WD_FCLM_FPM_OVP_CFA
○ WD_FCLM_FPM_OVP_FD
○ WD_FCLM_FPM_OVP_FO
● Workflow services
○ ibo_wda_inbox
○ swf_formabsenc
○ swf_workplace
○ UCT_DISPLAY_DOCUMENT
○ UCT_DISPLAY_INBOX
○ UCT_DISPLAY_SIGNOFF
○ UCT_DISPLAY_CHANGE
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 179○ USMD_CREQUEST_PROTOCOL2
○ USMD_SSW_RULE
○ USMD_WF_NAVIGATION
● POWL services
○ POWL
○ POWL_COLLECTOR
○ powl_composite
○ POWL_EASY
○ POWL_ERRORPAGE
○ POWL_MASTER_QUERY
○ POWL_PERS_COMP
Use the transaction SICF to activate these services. If your firewalls use URL filtering, also note the URLs used for
the services and adjust your firewall settings accordingly. For more information about ICF security, see the
respective chapter in the SAP NetWeaver Security Guide.
13.3.4.3.3 Data Storage Security
Using Logical Paths and File Names to Protect Access to the File System
Cash and Liquidity Management saves data in files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that map
to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory
that does not match a stored mapping, then an error occurs.
The following list shows the logical paths and file names that are used in Cash and Liquidity Management and the
programs for which these file names and paths apply. The logical paths and file names have been created to
activate the validation of physical file names:
Logical file names used in Cash and Liquidity Management:
● FCLM_CM_MEMO_RECORD_EXPORT
○ Name of the program that uses this logical file name:
RFTS6510_CREATE_STRUCTURE (transaction RFTS6510CS)
○ Parameters used in this context:
No parameters
○ Logical path name:
FCLM_CM_MEMO_RECORD_EXPORT
● FCLM_CM_MEMO_RECORD_IMPORT
○ Name of the program that uses this logical file name:
RFTS6510 (transaction RFTS6510)
○ Parameters used in this context:
No parameters
○ Logical path name:
FCLM_CM_MEMO_RECORD_IMPORT
Security Guide for SAP S/4HANA 1709
180 P U B L I C SAP S/4HANA Business ApplicationsActivating the Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the Security Audit Log.
13.3.4.3.4 Data Protection
13.3.4.3.4.1 Deletion of Personal Data
Use
Cash and Liquidity Management might process data (personal data) that is subject to the data protection laws
applicable in specific countries.
You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion of personal data.
With Cash and Liquidity Management, SAP provides where-used checks (WUC) for you to identify data that are no
longer in use.
For information about the Customizing of blocking and deletion, see Configuration: Simplified Blocking and
Deletion.
Relevant Application Objects and Available Deletion Functionality
Cash and Liquidity Management itself does not directly use SAP ILM. But the integrated source applications,
which have to comply with retention periods, use SAP ILM to support the deletion of personal data.
Cash and Liquidity Management, however, provides the program Aggregate Flows, which helps to reduce the data
volume in database table FQM_FLOW for One Exposure from Operations.
Table 98:
Application Detailed Description Provided Deletion Functionality
One Exposure from Operations You use this transaction to delete flows FQM_AGGREGATE_FLOWS
with certainty level ACTUAL in One Expo
sure and substitute them with aggrega
tion flows. They then no longer contain
any person-related information.
For more information, see the corre
sponding program documentation.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 181Where-Used Check (WUC)
A where-used check is a simple check to ensure data integrity in case of potential blocking. The checks in Cash
and Liquidity Management check whether any dependent data for a certain business partner exists in the related
tables.
If dependent data exists, that is, if the data is still required for business activities, the system does not block a
certain BP. If you still want to block the data, the dependent data must be deleted by using the existing archiving
and deletion tools or by using any other customer-specific solution.
Relevant Application Objects and Available EoP/WUC functionality
For the following application object, a where-used check (WUC) supporting the blocking of business partner
master data is available:
Table 99:
Application Related Table Implemented Solution (EoP or WUC)
One Exposure from Operations FQM_FLOW WUC with function module
FQM_BUPA_WUC_CHECK
Bank Relationship Management FCLM_BAM_AMD WUC with function module
FCLM_BAM_BNKABP2 FIN_FSCM_CLM_BAM
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business data in Customizing for Cross-
Application Components under Data Protection.
● Define the settings for authorization management under Cross-Application Components Data Protection
Authorization Management .
● Check the following settings for blocking in Customizing for Cross-Application Components under Data
Protection Blocking and Unblocking of Data Business Partner .
○ Under Register Application Names for EoP Check (view V_BUTEOPAPP) you find One Exposure from
Operations (FQM).
○ Under Define Application Function Modules Registered for EoP Check (view V_BUTEOPFM) you find a list of
application function modules. Each application that consumes business partners registered their function
module in this view. These function modules are called by the blocking/unblocking report when
performing the end-of-purpose checks.
○ FQM: Function module FQM_BUPA_WUC_CHECK
○ Bank Account Management: Function module FIN_FSCM_CLM_BAM
For more information about configuration, see the Customizing documentation.
Security Guide for SAP S/4HANA 1709
182 P U B L I C SAP S/4HANA Business Applications13.3.4.4 SAP Treasury and Risk Management
● Network and Communication Security
Communication with external systems is possible using standard interfaces via BAPI, IDoc, XI and BAdIs.
● Communication Destinations
In certain cases a technical user may be required for applying BAPIs.
● Data Storage Security
○ SAP Treasury and Risk Management accesses financial transaction data that can be particularly sensitive.
Access is protected by the authorization objects described in the Authorizations [page 183]section.
○ Using Logical Path and Filenames to Protect Access to the File System [page 204]
● Additional Security-Relevant Information
All authorizations are managed by means of roles and profiles.
In addition you can further increase the system security by making a number of Customizing settings such as
trader authorizations, posting release settings and a lot of other release workflows for objects like hedging
relationships, correspondence objects or exposure positions. However, the authorization check itself must
always be run on the basis of roles and profiles.
13.3.4.4.1 Authorizations
Standard Roles
The table below shows the standard roles that are used by the SAP Treasury and Risk Management.
Table 100:
Role Description
Business Roles for SAP Fiori Launchpad
SAP_BR_TREASURY_RISK_MANAGER Treasury Risk Manager
SAP_BR_TREASURY_SPECIALIST_FOE Treasury Specialist - Front Office
SAP_BR_TREASURY_SPECIALIST_MFOE Treasury Specialist - Middle Office
SAP_BR_TREASURY_SPECIALIST_BOE Treasury Specialist - Back Office
SAP_BR_TREASURY_ACCOUNTANT Treasury Accountant
Roles in Backend
SAP_TRM_ADMINISTRATOR Treasury Administrator
SAP_TRM_DEALER Trader
SAP_TRM_LIMIT_MANAGER Limit Manager
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 183Role Description
SAP_TRM_RISK_CONTROLLER Risk Controller
SAP_TRM_TM_BACKOFFICE_PROCES Back Office Processor
SAP_TRM_TM_FUND_MANAGER Fund Manager
SAP_TRM_TM_STAFF_ACCOUNTANT Staff Accountant
SAP_TRM_TM_TRADE_CONTROLLER Trade Controller
SAP_TRM_TREASURY_MANAGER Treasury Manager
Transaction Roles
Table 101:
Role Description
SAP_AUDITOR_BA_CFM Allows evaluations in Treasury to be collected, structured and
preset.
(AIS – Audit Information System)
The required menu forms part of this role. The relevant au
thorization role is SAP_AUDITOR_BA_CFM_A (AIS – Authoriza
tions for SAP Applications (Excluding HR)).
SAP_AUDITOR_TAX_TR Provides the collection, structuring, and presetting of evalua
tions in Treasury for tax auditing purposes.
(AIS – Audit Information System
The required menu forms part of this role.
Transaction Role)
The relevant authorization roles are
SAP_AUDITOR_TAX_TR_A (AIS – Tax Auditor TR (Authoriza
tions)) and SAP_AUDITOR_TAX_A (AIS – Tax Auditor Central
Functions (Authorizations)).
Authorization Roles
Table 102:
Role Description
SAP_AUDITOR_BA_CFM_A Allows read-only access for the business audit in Treasury
(AIS – Audit Information System) The relevant transaction role is SAP_AUDITOR_BA_CFM (AIS –
Transactions for SAP Applications (Excluding HR)).
SAP_AUDITOR_TAX_TR_A Grants read-only access to tax auditors.
(AIS – Audit Information System) The relevant transaction role is SAP_AUDITOR_TAX_TR (AIS –
Tax Audit Treasury)
An extended authorization check is performed with the roles SAP_AUDITOR_TAX_TR and
SAP_AUDITOR_TAX_TR_A.
Security Guide for SAP S/4HANA 1709
184 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the SAP Treasury and Risk
Management (class TRTM Treasury Management).
Standard Authorization Objects
Table 103:
Authorization Object Permitted Activities Description
CMM_ESTIME 01 Create or Generate This authorization object enables you to
restrict who can create, edit, delete, or
02 Change
display exception end-of-day snapshot
03 Display definitions.
06 Delete
CMM_STIME 01 Create or Generate This authorization object enables you to
restrict who can create, edit, delete, or
02 Change
display end-of-day snapshot definitions.
03 Display
06 Delete
T_ASGTTMPL 02 Change
Acct Assignment Templates
IDCFM_FRAM 01 Display Authorization object for amortized cost
function.
Amortized Costs 03 Update
T_RMOB_AUG 01 Create or generate This authorization object controls au
thorization for editing and using different
Application Objects for CFM/Banking 02 Change
settings within CFM/Banking Analysis
Analysis
03 Display (e.g. evaluation type, scenario, portfolio
06 Delete hierarchy).
21 Transport
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 185Authorization Object Permitted Activities Description
T_POS_ASS 01 Create or generate This object checks if the user is allowed
to create, change (delete), or display po
Assign Attributes to Positions 02 Change
sition attributes. These attributes are
03 Display the position’s account assignment refer
ence and the position management pro
cedure.
You can control the authorization for
each Accounting code, valuation area,
and product type.
The check for assignment of the position
management procedure is carried out
when a position is created either man
ually or automatically. The check for as
signment of the account assignment ref
erence is carried out with the first post
ing to the position or when the account
assignment reference is manually as
signed to the position.
T_TLR_REP 02 Change With this authorization object, you de
fine user-specific authorizations for ac
Authorization for Legal Report Type 03 Display
tivities concerning trade repository ob
70 Administer jects.
Use in function:
● Trade Repository Monitor (transac
tion FTR_TARO_MONITOR)
● Update Trade Repository Objects
(transaction FTR_TARO_PROCESS)
● Send Trade Repository Objects
(transaction FTR_TARO_SEND)
● Import Incoming Messages (trans
action FTR_TARO_IMPORT)
● Report
R_TLR_TARO_STATUS_REMARK
Update the Status or the Text in the
Field Remark of TAROs
Security Guide for SAP S/4HANA 1709
186 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_DEAL_PD 01 Create or generate With this authorization object, you deter
mine for a user which functions and ac
Authorization for Product/Transaction 02 Change
tivities he is allowed to execute for a
Types
03 Display product and transaction type within a
06 Delete company code.
16 Execute Use in functions:
38 Perform All transaction of the Transaction Man
agement (Trade, Back Office) of the
43 Release Transaction Manager (FSCM-TRM-TM)
48 Simulate which create or maintain financial trans
actions including the BAPIs.
83 Counterconfirm
85 Reverse
AB Settle
KI Knock In
KO Knock Out
KU Give notice
PR Process Correspondence
PS
VF Expired
T_IGT_DEAL 01 Create or generate With this authorization object, you deter
mine which functions and activities are
Authorization for Product/Transaction 02 Change
allowed for a product and transaction
Types for IGT
03 Display type in a company code for Intragroup
06 Delete transactions [within Edit Intragroup
Transactions (transaction TRIG_IGT)].
10 Post
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 187Authorization Object Permitted Activities Description
T_DEAL_DP 01 Create or generate With this authorization object, you deter
mine which functions and activities are
Authorization for Securities Account 02 Change
allowed for a securities account in a
03 Display company code.
06 Delete Use in functions:
16 Execute ● TRS_SEC_ACC – Edit Securities Ac
43 Release count
● FWDP – Securities Account List
48 Simulate ● TS09 – Define Default Values
85Reverse
PR Process Correspondence
PS
T_DEAL_AG 01 Create or generate With this authorization object, customer
specific authorization checks can be car
Authorization for an Authorization Group 02 Change
ried out if necessary in addition to the
03 Display objects
06 Delete ● T_DEAL_DP
16 Execute ● T_DEAL_PF
● T_DEAL_PD
43 Release Application examples:
48 Simulate ● A trader should only be allowed to
display/process department-re
85 Reverse
lated orders.
PR Process Correspondence ● A clerk should not be allowed to dis
PS play/process an employee loan.
T_EXT_SEC 01 Create or generate Authorization object for maintaining ex
ternal securities account statements
Authorization for external security ac 02 Change
count
03 Display
06 Delete
T_RIGHTS 03 Display The authorization object T_RIGHTS is re
Authorization to Exercise Options 38 Perform quired for exercising security rights in
the securities area of the Transaction
48 Simulate Manager.
85 Reverse The system checks the object T_RIGHTS
in the application function for exercising
security rights (path: Transaction
Manager Securities Trading
Security Right Exercise / Reverse ).
Security Guide for SAP S/4HANA 1709
188 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_BP_USED Prior to calling up the where-used list of
the business partner from dialog mainte
Business Partner: Authorization for
nance, or with incoming telephone calls,
Where-Used List
a check is made as to whether the user
has the authorization to display the use
of a business partner in a particular ap
plication. If this is not the case, the user
is not offered the corresponding applica
tion to see how the business partner is
used.
The partner number and assignment
category fields are requested. The as
signment category defines the applica
tion being used by the business partner
(for example, Real Estate, Money Mar
ket, Loans). The assignment categories
can be displayed with the V_TPR1 view.
T_BP_USEDT
Business Partner: Where-Used List Au
thorization (Decoupling)
T_FTI_LDB You use this authorization object to as
sign authorizations for CFM position
CFM Position Management Reporting
management reporting using logical da
Using Logical Databases
tabases.
T_CML_ARCH 03 Display When you select a transaction, the sys
tem checks whether the function may be
CML: Authorization in Loans Archiving 24 Archive
executed and in which company codes
Area
25 Reload the system is permitted to process
33 Read documents.
56 Display archive
57 Save archive
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 189Authorization Object Permitted Activities Description
T_RMCHAR_V You can use this authorization object to
define for which financial objects a user
Characteristic Values in Risk Manage
can run particular evaluations. The au
ment Reports
thorization is based on characteristic
values.
Defined fields
● Report Category
The report category describes the
business purpose of the analysis
(for example, NPV analysis, gap
analysis). The possible values can
be taken from the fixed values for
domain RMRPTYPE.
● Characteristic
● Value
Note: The checking of the charac
teristics is based on an AND link.
This means that if an entry for the
field Characteristic is not equal to *,
then an additional entry with the
value * has to be defined for each
characteristic for which all values
are permitted.
No hierarchy can be defined with
this authorization object. For exam
ple, this means that is not possible
to give a user authorization for all
product types in company code
001, but then to restrict the authori
zation to certain product types in
company code 002. Any restriction
of the authorization to certain prod
uct types would apply automatically
to company code 001.
Security Guide for SAP S/4HANA 1709
190 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_KAPM_1 01 Create or generate You use this object to define the user au
thorizations for:
Corporate Actions I 02 Change
● Corporate action types
03 Display
● Activities
63 Activate
Use in functions
The object T_KAPM_1 is checked in the
following application functions:
Securities Back Office Corporate
Actions for Corporate action category:
Manually generated
T_KAPM_2 10 Post With this authorization object, you de
fine at the company code level, for which
Corporate Actions II 48 Simulate
corporate actions postings or simulation
85 Reverse runs may be carried out.
Use in functions
Object T_KAPM_2 is checked in the fol
lowing application function:
Securities – Processing: Post other cor
porate actions
T_THXE_ET 01 Create or generate You can use this authorization object to
manage the access in the effectiveness
Effectiveness Tests 02 Change
test part of the Hedge Accounting for
03 Display Positions.
06 Delete Use in functions:
94 Override The system checks whether the user is
authorized to execute the function
based on Company Code, Valuation
Area, Hedging Relationship Category,
Hedging Relationship Profile and
Activitywithin the following functions:
● Manage Hedging Relationships
(transaction TPM100)
● Run Effectiveness Test (transaction
TPM110
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 191Authorization Object Permitted Activities Description
T_TREA_EVA 01 Create or generate With this authorization object, you deter
mine which activities for evaluations on
Execute or Display Evaluation Data on 03 Display
external accounts can be performed by
External Accounts
which users.
Use in functions:
● NPV Calculation for External Ac
count Transactions (transaction:
TREA_EVAL)
● Show Results of Key Figure calcula
tion for External Accounts (transac
tion: TREA_EVAL_SHOW)
T_RIGHTS_D 03 Display
Exercise Rights for Listed Options or Fu 38 Perform
tures
48 Simulate
85 Reverse
T_TEX_POS 02 Change (Change attributes of the ex The authorization object controls which
posure position) activities are allowed for exposure posi
Exposure Position
tions within Exposure Management 2.0.
03 Display (Display exposure position)
59 Distribute (Update exposure position
in the Hedge Accounting for Exposures)
61 Export (Export exposure position to
market place or other function covered
by BAdI)
T_TREA_CA 01 Create With this authorization object, you deter
mine for users which activities they are
External Account 02 Change
allowed to execute for an external ac
03 Display count.
06 Delete Used in functions:
NP Net Payment ● Maintain External Accounts (trans
action TREA_ACC_MNT)
● Create Net Payment (transaction
TREA_PAY)
Security Guide for SAP S/4HANA 1709
192 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_TREA_STA Create or generate With this authorization object, you deter
mine for users which activities for an ex
External Account Statement Change
ternal account statement they are al
Display lowed to execute.
Delete Used in functions:
Release ● Maintain External Account State
ments (transaction
TREA_STA_MNT)
● Upload External Account State
ments (transaction
TREA_STA_UPL)
● Release Line Items (transaction
TREA_RELEASE)
T_BP_DEAL 01 Create or generate The system checks against the authori
zation object Treasury Business Partner:
FS Business Partner: Standing Instruc 02 Change
Standing Instructions when the user calls
tions
03 Display up the standing instructions function.
The system only displays the standing
instructions for which the user is author
ized.
Examples:
● If a user is not authorized to use the
standing instructions function, this
user is unable to branch to the
standing instructions from the busi
ness partner master data screen.
● If a user is only authorized to main
tain transaction authorizations, the
system only displays the corre
sponding tab for transaction au
thorizations when this user calls up
the standing instructions.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 193Authorization Object Permitted Activities Description
T_FGDT_ART 01 Create or generate You can use this authorization object to
define authorizations for the input fields
Generic Transaction: Authorization 02 Change
of the generic transaction. Based on the
Types
03 Display field values, you define which generic
transactions the user is allowed to main
tain. To do this, you have to define an au
thorization type and the names of the
fields to be checked in the Customizing
settings for generic transactions.
Note:
This authorization is optional. You do not
need to assign authorizations if you do
not want to give special protection to a
particular field group, and have not
therefore stored field groups for authori
zation in your Customizing settings.
Procedure
If you want to use this authorization ob
ject, proceed as follows:
● Decide for which fields in the ge
neric transaction you want to assign
authorizations.
● In the Customizing for the generic
transaction, create an authorization
type for these fields.
● Define the authorizations you want
to assign to selected employees.
Use the authorization type you have
created and define the correspond
ing values for the activity and the
selected fields of the generic trans
action.
● Assign the authorizations you have
created to the selected employees
by using the relevant profile.
T_HM_BUK 01 Create or generate Authorization object for the functions of
hedge accounting (E-HA) in the com
Hedge Accounting (E-HA) in Company 02 Change
pany code.
Code
03 Display
06 Delete
Security Guide for SAP S/4HANA 1709
194 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
IDCFM_FRIM 01 Display Authorization object for impairment
function.
Impairment Authorization Object 02 Create
03 Update
F_T_VTBLV 02 Change With this authorization object, you de
fine which limits can be edited.
Limit 03 Display
The object consists of the fields Limit
05 Lock
type and Activity.
43 Release
98 Mark for release
F_T_VTBLR 01 Create or generate This authorization object determines
which activities a user can perform for a
Limit Reservations 02 Change
limit reservation.
03 Display
F_T_VTBLL 01 Create or generate
Limit Transfers 02 Change
03 Display
T_STAM_GAT 01 Create or generate This authorization object enables you to
control the various activities that can be
Master Data: Class Category 02 Change
executed with a security class. You can
03 Display also control the activities according to
06 Delete the product type. You can set up your
system, for example, so that a certain
43 Release employee can change stocks, but can
56 Display archive only display bonds.
57 Save archive Use in function:
Class Data (transaction FWZZ)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 195Authorization Object Permitted Activities Description
T_DEAL_PF 01 Create or generate With this authorization object, you deter
mine which functions and activities are
Portfolio Authorization 02 Change
allowed for a portfolio in a company
03 Display code.
06 Delete
16 Execute
38 Perform
43 Release
48 Simulate
85 Reverse
AB Settle
KI Knock In
KO Knock Out
KS Reverse notice
KU Give notice
PR Process Correspondence
PS
VF Expired
Security Guide for SAP S/4HANA 1709
196 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_PACC_POS 10 Post You use this authorization object to de
termine the company code, product
Position in Futures Account 85 Reverse
type, and futures account for which ac
tivities can be executed that affect the
position.
You use the authorization object for the
following transactions or functions:
● Post Variation Margin: Function A,
Activity 10
● Post Close Margin: Function A, Ac
tivity 10
● Reverse Margin Flows: Function A,
Activity 85
● Manual Posting: Function B, Activity
10
● Reverse Manual Posting: Function
B, Activity 85
● Execute Matching: Function C, Ac
tivity 10
● Reverse Matching: Function C, Ac
tivity 85
T_TEX_REXP 01 Create or generate The authorization object controls, which
activities are allowed for raw exposures
Raw Exposure Create raw exposure
within Exposure Management 2.0.
02 Change
Change attributes of the raw exposure
03 Display
Display raw exposure
06 Delete
Delete a raw exposure (Only if it is unre
leased)
43 Release
Release the raw exposure to exposure
positions
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 197Authorization Object Permitted Activities Description
T_RDB_CVKF With the help of this authorization object
you can specify for which values of a
Results Database: Characteristic Value
characteristic a user may display the val
and Key Figure
ues of a key figure.
The system checks the values of all de
fining characteristics for a certain review
unit (for example, a portfolio hierarchy
node). Authorization for the value * is re
quired for characteristics with no restric
tions (for example, those that do not ap
pear in a portfolio hierarchy or only ap
pear at a lower level).
T_RDB_RDEL This authorization enables you to delete
single records from the results database
Results Database: Delete Single Records
by restricting the deletion to a particular
application. For example, if you want to
delete single records in Market Risk only,
but not those in the Portfolio Analyzer,
you specify the application RA here.
F_TR_MRM_S 01 Create or generate Object F_TR_MRM_S (Scenario
Scenario Maintenance 02 Change maintenance) controls the authoriza
tions for maintaining scenarios in Market
03 Display Risk Management. On this level you de
06 Delete fine whether a user is authorized to cre
ate, change or display a scenario of a
certain scenario type.
Security Guide for SAP S/4HANA 1709
198 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_DEPOT 01 Create or generate With this authorization object, you de
fine which position-changing measures
Securities Account Position 02 Change
may be carried out for the following:
03 Display
● company code
06 Delete ● product category
● securities account
Defined fields
● Company code
● Product type
● Function (D4= Disposition block,
D5= securities account transfer,
D6= securities account cash flow)
● Securities account
● Activity (create, change, display,
delete, reverse)
Note
● Necessary authorization for
Unblock: 06 (delete)
● Necessary authorization for
Manual posting or debit position:
○ Function: Securities ac
count cash flow (D6)
○ Activity: change (02)
● Necessary authorization for
Update securities account
position
○ Function: Securities ac
count cash flow (D6)
○ Activity: change (02)
Use in functions
Object T_DEPOT is checked in the follow
ing functions:
● Securities account transfer
● Securities account position over
view
● Manual posting
● Debit position
● Reversal of debit position / manual
posting
● Update securities account position
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 199Authorization Object Permitted Activities Description
● Posting journal
T_SEC_PRIC ● 03 Display With this authorization object you can
Display Security Price control, for which price types a user has
Security Price Maintenance – Price Type
● 23 Maintain the authorization to display or maintain
Create/Change/Delete Security security prices.
Prices Defined fields
The authorization object has the follow
ing fields:
● S_KURSART Rate/Price Type –
Treasury Instruments
● ACTVT Activity (Display, Maintain)
Use
When you have activated the secur
ity price check in the customizing
under Treasury and Risk
Management Transaction
Manager General Settings
Organization Activate Authority
Check for Security Price Type the
authorization object T_SEC_PRIC is
checked in the following functions:
○ Display security price (transac
tion FW17)
○ Maintain security price (trans
action FW18)
○ Class Master Data (transaction
FWZZ)
F_T_FBNAME 01 Create or generate Treasury: Authorization to call up a func
tion module.
Treasury: Authorization for Asynchro
nous Datafeed
T_TRADER 02 Change Treasury: Authorization for trader
Treasury: Trader Authorization 03 Display
F_T_TRANSB When a transaction is chosen, the sys
tem checks whether the user is author
Treasury: Transaction Authorization
ized to execute the function.
The authorization object is used within
nearly all transactions of the SAP
Treasury and Risk Management.
Security Guide for SAP S/4HANA 1709
200 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_TREA_CA 01 Create With this authorization object, you deter
mine for users which activities they are
External Account 02 Change
allowed to execute for an external ac
03 Display count.
06 Delete Used in functions:
NP Net Payment ● Maintain External Accounts (trans
action TREA_ACC_MNT)
● Create Net Payment (transaction
TREA_PAY)
T_TREA_STA Create or generate With this authorization object, you deter
mine for users which activities for an ex
External Account Statement Change
ternal account statement they are al
Display lowed to execute.
Delete Used in functions:
Release ● Maintain External Account State
ments (transaction
TREA_STA_MNT)
● Upload External Account State
ments (transaction
TREA_STA_UPL)
● Release Line Items (transaction
TREA_RELEASE)
T_DEAL_LC ● LC_ACTVT: With this authorization object, you deter
01 Presentation mine for users which activities they are
02 Document allowed to execute for a trade finance
● LC_FNCTN: transaction.
01 Create
02 Change
03 Display
04 Reverse
05 Accept/Reject
06 Pre-check
07 Send to Bank
08 Settle
T_HDG_AREA ● 02 Change This authorization object enables you to
Obsolete: Hedging Area ● 03 Display restrict who can display or change hedg
ing areas using function Define Hedging
Area (transaction TOE_HEDGING_AREA).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 201Authorization Object Permitted Activities Description
T_TOEHA AUTH_GR: You can create authorization You use this authorization object to con
Hedging Area groups in Customizing for Treasury and trol authorization for maintaining hedg
Risk Management under Define Authori ing areas.
zation Groups for Hedging Areas. Hedg
ing areas have to be assigned to one au
thorization group. In this way, you can
grant authorization for maintaining spe
cific hedging areas.
DGROUP: You use this field to control
which data can be changed or displayed.
Currently, only Hedge Management
Settings and Hedge Accounting Settings
are used.
ACTVT: You use this field to control
which functions can be performed dur
ing hedging area maintenance.
● Create
● Change
● Display
● Create New Version
● Delete Version
● Delete
T_TOESNP AUTH_GR: You can create authorization You use this authorization object to con
Hedge Management: Snapshot groups in Customizing for Treasury and trol authorization for creating or deleting
Risk Management under Define Authori hedging areas
zation Groups for Hedging Areas. Hedg
ing areas have to be assigned to one au
thorization group. In this way, you can
grant authorization for snapshots be
longing to specific hedging areas.
ACTVT: You use this field to control
which of the following functions can be
performed from within the snapshot
function:
● Create
● Delete
● Flag: If the hedging area is set as
relevant for Hedge Accounting, you
can grant users authorization to set
a snapshot as the version that is rel
evant for the day.
Security Guide for SAP S/4HANA 1709
202 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Permitted Activities Description
T_TOE_HMC AUTH_GR: You can create authority With this authority object, you can con
Hedge Management Cockpit groups in Customizing. Hedging areas trol which data can be shown using the
have to be assigned to one authority Hedge Management Cockpit.
group. In this way, you can grant authori
zation for specific hedging areas.
BUKRS: Company code
ACTVT: Display
T_HREL_AUT The authorization object consists of the With this authorization object, you deter
following fields: mine which activities are allowed for a
● Company Code hedging relationship withinHedge
Accounting for Positions (P-HA) in a
● Valuation Area
company code and valuation area.
● Activity
Use in function:
Manage Hedging Relationships (transac
tion TPM100)
The hedge risk category and hedging re
lationship category are not used at the
moment.
(The class of a hedging relationship is
obsolete but cannot be deleted for tech
nical reasons.)
T_TIME_GRI Activities This authorization object enables you to
restrict who can display or change time
Time Pattern 02 Change
patterns using function Define Time
03 Display Pattern (transaction
TOE_TIME_PATTERN).
T_TOE The authorization object consists of the With this authorization object, you can
following fields: restrict who can display snapshots
Obsolete: Hedge Management: Snap
within Hedge Management
shot BUKRS Company Code
CURRENCY Currency
ACTVT Activity
T_RCD ● Recheck With this authorization object, you can
● Release restrict who can recheck, release, or re
● Reject ject blocked sales documents for a risk
check decision using function Risk Check
Decision Management (transaction
FTR_RCD).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 203The table below shows the security-relevant authorization objects that are used by the SAP Treasury and Risk
Management (class FIFinancial Accounting).
Standard Authorization Objects
Table 104:
Authorization Object Permitted Activities Description
F_RPCODE ● Create and change to bring the data Repetitive codes are used to simplify
into the system, processing of recurring payments. Such
Repetitive Code
● Lock and release, to control usabil usage is agreed between the user and
ity, the bank.
● Display, to enable the user to use You should only use the delete function
the function, once you have carefully checked
● Display change documents, to ena
ble you to display the master data and agreed with the bank that it is clear
changes. that a repetitive code is no longer being
used and may be deleted.
A check is made of the authorization ob
ject during among other things repetitive
code maintenance (OT81), with their use
in vendor payment requests (RVND) and
in the fast entry of repetitive payments
(FRFT).
The company code controls the organi
zational unit in which the activities
named can be carried out. The partner
type restricts the activities to those re
petitive codes for which the payee has
the specified type (house bank, vendor
or Treasury business partner are exam
ples).
When you display change documents
you can only restrict to company code.
13.3.4.4.2 Data Storage Security
Using Logical Paths and File Names to Protect Access to the File System
SAP Treasury and Risk Management (FIN-FSCM-TRM) saves data in files in the file system. Therefore, it is
important to explicitly provide access to the corresponding files in the file system without allowing access to other
directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names
in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
204 P U B L I C SAP S/4HANA Business ApplicationsThe following list shows the logical paths and file names that are used in SAP Treasury and Risk Management (FIN-
FSCM-TRM) and the programs for which these file names and paths apply. The logical paths and file names have
been created to activate the validation of physical file names:
Logical file names used in SAP Treasury and Risk Management
● FTRM_FTR_DEALDATA_AMORTIZATION_SCHEDULES_IMPORT
○ Program that uses this logical file name:
○ RFTR_INTF_MAINFLOWS_UPLOAD
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_FTR_DEALDATA_IMPORT.
● FTRM_TCR_MARKETDATA_DF_IMPORT
○ Program that uses this logical file name:
○ RFTBDF06 [function Datafeed: Import External Market Data in Datafeed Notation (transaction
TBD5 )]
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_DF_IMPORT.
● FTRM_TCR_MARKETDATA_DF_SECURITIES_IDS_IMPORT_FOR_CUSTOMIZING
○ Program that uses this logical file name:
○ RFTBDF05 [function Datafeed: Import Security ID Numbers (transaction TBD2 )]
No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_DF_IMPORT.
● FTRM_TCR_MARKETDATA_FF_REQUEST_LIST_EXPORT
○ Program that uses this logical file name:
○ RFTBFF01 [function Market Data File Interface: Generate Rates and Prices Request List (transaction
TBDN )]
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_EXPORT.
● FTRM_TCR_MARKETDATA_FF_IMPORT
○ Program that uses this logical file name:
○ RFTBFF01 [function Market Data File Interface: Import Rates and Prices (transaction TBDM )]
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_IMPORT.
● FTRM_TCR_MARKETDATA_FF_ERRORLOG_EXPORT
○ Program that uses this logical file name:
○ RFTBFF01 [function Market Data File Interface: Import Rates and Prices (transaction TBDM )]
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_EXPORT.
● FTRM_TCR_MARKETDATA_FF_SECURITIES_YEAR_END_PRICES_IMPORT
○ Program that uses this logical file name:
○ RFDWZFF0
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_IMPORT.
● FTRM_TCR_MARKETDATA_FF_STATISTICS_IMPORT
○ Program that uses this logical file name:
○ RFTBFF20 [function Market Data File Interface: Import Statistics Data (transaction TVMD )]
○ No parameters are used in this context:
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 205○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_IMPORT.
● FTRM_TCR_TEMP_TCURC_EXPORT (Treasury: Sequential Output File for TCURC)
○ Program that uses this logical file name:
○ RZKLAODC
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TCR_TEMP_EXPORT.
● FTRM_TCR_TEMP_TCURT_EXPORT (Treasury: Sequential Output File for TCURT)
○ Program that uses this logical file name:
○ RZKLAODT
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_TCR_TEMP_EXPORT.
● FTRM_FTR_RED_SCHEDULE (Treasury: Redemption Schedule Parser)
○ Program that uses this logical file name:
○ FTBAS_SCHEDULE_BATCH_LOAD
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_FTR_RED_SCHEDULE.
● FTRM_AN_LIMIT
○ Program that uses this logical file name:
○ RFTBLBI1 (Batch Input Report for Creating Limits )
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_AN_LIMIT.
● FTRM_AN_INT_LIMIT
○ Program that uses this logical file name:
○ RFTBLBI1 ( Batch Input Report for Creating Limits)
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_AN_INT_LIMIT.
● FTRM_TCR_MARKETDATA_FF_DERIVATIVE_PRICES_ERRORLOG_EXPORT
○ Program that uses this logical file name:
○ RFTBFF30 (Import DTB Derivative Prices: transaction TVDT )
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_EXPORT.
● FTRM_TCR_MARKETDATA_FF_DERIVATIVE_PRICES_IMPORT
○ Program that uses this logical file name:
○ RFTBFF30 (Import DTB Derivative Prices: transaction TVDT )
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_TCR_MARKETDATA_FF_IMPORT.
● FTRM_AN_BATCH_INPUT_DER
○ Programs using this logical file name:
○ RJBDBTC3 (Batch Input for Derivatives )
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_AN_BATCH_INPUT_DER.
● FTRM_AN_BATCH_INPUT_MM
○ Programs using this logical file name:
○ RJBDBTC2 (Batch Input for Derivatives)
○ No parameters are used in this context.
Security Guide for SAP S/4HANA 1709
206 P U B L I C SAP S/4HANA Business Applications○ The logical file name uses the logical file path FTRM_AN_BATCH_INPUT_MM.
● FTRM_AN_BATCH_INPUT_FX
○ Programs using this logical file name:
○ RJBDBTC1 (Batch Input for FX Transactions )
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_AN_BATCH_INPUT_FX.
● FTRM_AN_BATCH_INPUT_ERR_FILE
○ Programs using this logical file name:
○ Include MJBEHF01
○ No parameters are used in this context.
○ The logical file name uses the logical file path FTRM_AN_BATCH_INPUT_ERR_FILE.
● FTRM_TARO_SEND
○ Programs using this logical file name:
○ R_TLR_TARO_SEND
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TARO_SEND (this is where the send program puts
the files to be sent to the repository)
● FTRM_TARO_IMPORT
○ Programs using this logical file name:
○ R_TLR_TARO_IMPORT and R_TLR_TARO_IMPORT_REPORTS
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TARO_IMPORT (this is where the system expects
files sent by the repository)
● FTRM_TARO_ARCHIVE
○ Programs using this logical file name:
○ R_TLR_TARO_IMPORT and R_TLR_TARO_IMPORT_REPORTS
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TARO_ARCHIVE (this is where imported files are
stored if they were successfully imported)
● FTRM_TARO_ERROR
○ Programs using this logical file name:
○ R_TLR_TARO_IMPORT and R_TLR_TARO_IMPORT_REPORTS
○ No parameters are used in this context:
○ The logical file name uses the logical file path FTRM_TARO_ERROR (this is where imported files are
stored if they were NOT successfully imported but caused an error)
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log. For
more information, see about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 20713.3.5 Financial Operations
13.3.5.1 Contract Accounting
13.3.5.1.1 Authorizations
Business Roles
The following business roles are provided:
● SAP_BR_APR_MANAGER_FICA (Accounts Payable and Receivable Manager (FI-CA))
● SAP_BR_APR_ACCOUNTANT_FICA (Accounts Payable and Receivable Accountant (FI-CA))
● SAP_BR_INVOICING_SPEC_CINV (Invoicing Specialist (Convergent Invoicing))
● SAP_BR_INVOICING_MANAGER_CINV (Description: Invoicing Manager (Convergent Invoicing))
Standard Authorization Objects
You can easily recognize the authorization objects currently used in Contract Accounts Receivable and Payable
(FI-CA) from their technical name as follows:
1. In the SAP Easy Access menu choose Tools Administration User Maintenance Information System
Authorization Objects By object name .
2. Enter F_KK* in the Authorization Object field and execute your search.
In the result list, you can display the details for each selected authorization object such as authorization fields,
documentation and permitted activities, if defined.
In addition, for the Clarification Processing area, the authorization object S_CFC_AUTH exists; for the
Correspondence area, the authorization object P_CORR; and for prepaid processing, authorization objects exist
that follow the naming convention F_PREP*. You can use Customizing roles to control access to the configuration
of Contract Accounts Receivable and Payable (FI-CA) in the SAP Customizing Implementation Guide (IMG).
13.3.5.1.2 Data Storage Security
Contract Accounts Receivable and Payable (FI-CA) saves data in files in the file system. Therefore, it is important
to explicitly provide access to the corresponding files in the file system without allowing access to other
directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names
in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
208 P U B L I C SAP S/4HANA Business ApplicationsThe following list shows the logical file names and paths used by Contract Accounts Receivable and Payable (FI-
CA) and for which programs these file names and paths apply:
Logical File Names Used in FI-CA and Logical Path Names
The following logical file names have been created in order to enable the validation of physical file names:
Table 105:
Program Logical File Name Used by the Pro Logical Path Name Used by the Pro
gram gram
RFKIBI_FILE00 FICA_DATA_TRANSFER_DIR FICA_DATA_TRANSFER_DIR
RFKIBI_FILEP01
RFKKBI_FILEEDIT
RFKKBIBG
RFKKZEDG
RFKKRLDG
RFKKCMDG
RFKKCRDG
RFKKAVDG
RFKKBIB0
RFKKZE00
RFKKRL00
RFKKCM00
RFKKCR00
RFKKAV00
RFKKKA00
RFKKBIT0
RFKKPCSF FI-CA-CARD-DATA-S FI-CA-CARD-DATA-S
RFKKPCDS
RFKKCVSPAY FI-CA-CVS FI-CA-CVS
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 209RFKK_CVSPAY_CONFIRM
RFKKCVSCONFIRMDB
RFKK_CVSPAY_CONFIRM_TEST
RFKK_DOC_EXTR_EXP FI-CA-DOC-EXTRACT-DIR FI-CA-DOC-EXTRACT-DIR
RFKK_DOC_EXTR_AEXP
RFKK_DOC_EXTR_IMP
RFKK_DOC_EXTR_EXTR
RFKK_DOC_EXTR
RFKK_DOC_EXTR_DEL
Class CL_FKK_TEXT_FILE
RFKKBIXBITUPLOAD FI-CA-BI-SAMPLE FI-CA-BI-SAMPLE-DIR
FI-CA-BI-SAMPLE-DIR
RFKKCOL2 FI-CA-COL-SUB FI-CA-COL-SUB
RFKKCOLL
Transaction FP03DM (Mass Activity)
Transaction FPCI (Mass Activity) FI-CA-COL-INFO FI-CA-COL-INFO
RFKKCOPM FI-CA-COL-READ FI-CA-COL-READ
READFILE
RFKKCOPG FI-CA-COL-TEST FI-CA-COL-TEST
RFKKRDI_REPORT FI-CA-RDI FI-CA-RDI
RFKKRDI_REPORT_DIS
SAPFKPY3 FI-CA-DTA-NAME FI-CA-DTA-NAME
RFKKCHK01 FI-CA-CHECKS-EXTRACT FI-CA-CHECKS-EXTRACT
Class CL_FKK_INFCO_SEND FI-CA-INFCO FI-CA-INFCO
RFKKBE_SAL1 FICA_BE_SAL FICA_BE_SAL
RFKKBE_SAL2 FICA_BE_SAL_XML FICA_BE_SAL_XML
RFKK1099 FI-CA-1099 FI-CA-1099
Security Guide for SAP S/4HANA 1709
210 P U B L I C SAP S/4HANA Business ApplicationsRFKKOP03 FICA_OPEN_ITEMS FICA_OPEN_ITEMS
RFKKOP04
RFKKOP07
RFKKES_SAL1 FICA_TAX_REP_GEN FICA_TAX_REP_GEN
RFKKES_SAL2
RFKKRDI_REPORT FI-CA-RDI FI-CA-RDI
RFKKRDI_REPORT_DIS
Transaction EMIGALL ISMW_FILE ISMW_ROOT
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information about data storage security, see the chapter in the SAP NetWeaver Security Guide.
13.3.5.1.3 Enterprise Services Security
For general information, see the chapters on Web Services Security in the SAP NetWeaver Security Guide and in
the SAP Process Integration Security Guide.
13.3.5.1.4 Other Security-Relevant Information
In Contract Accounts Receivable and Payable (FI-CA), some objects and special activities are protected by special
authorizations. The associated authorization object is F_KK_SOND. See table TFKAUTH (use transaction SM30 to
display) for information on all activities that you can protect with this authorization object.
13.3.5.2 Settlement Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 21113.3.5.2.1 Authorizations in Settlement Management
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 106:
Authorization Object Field Value Description
W_WBRC_CR Reason for Complaint 01 Create or generate Authorization for complaint
reason
02 Change
03 Display
16 Execute (process com
plaints)
A3 Change status of com
plaints manually
W_WBRK_FKA Settlement Document Type 01 Create or generate Authorization for settlement
document type
02 Change
03 Display
04 Print, edit messages
24 Archive
25 Reload
43 Release (*)
85 Reverse (*)
99 Generate invoice list
W_WBRK_ORG ● Company Code 01 Create or generate Authorization for organiza
● Purchasing Organization tional data
02 Change
● Purchasing Group
● Sales Organization 03 Display
● Distribution Channel 04 Print, edit messages
● Division 24 Archive
25 Reload
43 Release (*)
85 Reverse (*)
99 Generate invoice list
Security Guide for SAP S/4HANA 1709
212 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
WLF_IV Settlement Document List 01 Create or generate Clearing Workbench
Type
03 Display
W_COCO Condition Contract Type 01 Create or generate Authorizations for condition
contract
02 Change
03 Display
04 Print, edit messages
24 Archive
25 Reload
43 Release (*)
66 Refresh (Apply condition
contract retrospectively to
posted invoices)
84 Settle
W_COCO_ORG ● Sales Organization 01 Create or generate Authorizations for condition
● Distribution Channel contract organizational data
02 Change
● Division
● Purchasing Organization 03 Display
● Purchasing Group 04 Print, edit messages
43 Release (*)
84 Settle
(*) To check this activity, you must explicitly activate the check as required.
13.3.5.2.2 Deletion of Personal Data
The Settlement Management (LO-AB) application might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 213Relevant Application Objects and Available Deletion Functionality
Table 107:
Application Object Detailed Description Provided Deletion Functionality
Customer Settlement List See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WBU.
http://help.sap.com/s4hana_op_1709 For more information see the product
under Product Assistance assistance for SAP S/4HANA on the
Enterprise Business Applications SAP Help Portal at
Finance Financial Operations http://help.sap.com/s4hana_op_1709
Settlement Management Document Product Assistance Enterprise
Categories in Settlement Management Business Applications Finance
Customer Settlement List . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Customer
Settlement Lists (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Customer Settlement See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WCI.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Customer Business Applications Finance
Settlement . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Customer
Settlements (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Security Guide for SAP S/4HANA 1709
214 P U B L I C SAP S/4HANA Business ApplicationsApplication Object Detailed Description Provided Deletion Functionality
Supplier Billing Document See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WLF.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Supplier Business Applications Finance
Billing Document . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Supplier
Billing Documents (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Settlement Document List See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WRECH.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Settlement Business Applications Finance
Document List . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Settlement
Document Lists (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 215Application Object Detailed Description Provided Deletion Functionality
Supplier Settlement List See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WREG.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Supplier Business Applications Finance
Settlement List . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Supplier
Settlement Lists (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Expense Settlement See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WSI.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Expense Business Applications Finance
Settlement . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Expense
Settlements (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Security Guide for SAP S/4HANA 1709
216 P U B L I C SAP S/4HANA Business ApplicationsApplication Object Detailed Description Provided Deletion Functionality
Settlement Document See the product assistance for SAP S/ ILM object AB_DOCUMENT assigned to ar
4HANA on the SAP Help Portal at chiving object WZR.
http://help.sap.com/s4hana_op_1709 For more information see the product
Product Assistance Enterprise assistance for SAP S/4HANA on the
Business Applications Finance SAP Help Portal at
Financial Operations Settlement http://help.sap.com/s4hana_op_1709
Management Document Categories in Product Assistance Enterprise
Settlement Management Settlement Business Applications Finance
Document . Financial Operations Settlement
Management Functions for Document
Processing Archiving of Settlement
Management Documents Settlement
Documents (LO-AB) .
Report:
WLF_UPDATE_AB_EOP_FROM_ARCHIVE.
Condition Contract See the product assistance for SAP S/ ILM object WCB_COCO assigned to ar
4HANA on the SAP Help Portal at chiving object WCB_COCO.
http://help.sap.com/s4hana_op_1709 Report:
Product Assistance Enterprise WCB_UPDATE_EOP_FROM_ARCHIVE.
Business Applications Finance
Financial Operations Settlement
Management Condition Contract
Management Condition Contract .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 217Relevant Application Objects and Available EoP/WUC functionality
Table 108:
Application Implemented Solution (EoP or WUC) Further Information
Settlement Management (LO-AB) End of purpose (EoP) check SAP delivers an end of purpose check
for Settlement Management (LO-AB). All
applications register either an end of
purpose (EoP) check in the Customizing
settings for the blocking and deletion of
business partner data or a where-used
check (WUC). For information about the
Customizing of blocking and deletion for
LO-AB, see Configuration: Simplified
Blocking and Deletion.
Configuration: Simplified Blocking and Deletion
You configure the settings the related to the blocking and deletion of customer and supplier master data in
Customizing for Logistics - General under Business Partner Deletion of Customer and Supplier Master Data. .
13.3.6 Real Estate Management
13.3.6.1 Real Estate Management
Authorizations
Standard Roles of Real Estate Management
Table 109:
Role Description
SAP_RE_APPL Real Estate Management (including administration and Cus
tomizing)
SAP_EP_RW_REFX_I AC - Flexible Real Estate Management
SAP_EP_RW_REFX_II AC - Flexible Real Estate Management - support processes
Security Guide for SAP S/4HANA 1709
218 P U B L I C SAP S/4HANA Business ApplicationsNetwork and Communication Security
External heating expenses settlement is available In Real Estate Management. To make this settlement possible,
the necessary files must be generated in the SAP system in an internal SAP format. You then need to send the
data medium to the settlement company.
Trace and Log Files
The change documents provide information on changes to the authorization group and to the person responsible
for the object.
Data Storage Security
Using Logical Paths and File Names to Protect Access to the File System
Flexible Real Estate Management (RE-FX) saves data in files in the file system. Therefore, it is important to
explicitly provide access to the corresponding files in the file system without allowing access to other directories
or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the
system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
The following lists show the logical file names an paths that are used by Flexible Real Estate Management (RE-FX),
and for which programs these file names and paths apply:
Logical File Names Used in Flexible Real Estate Management (RE-FX)
The logical file name REFX_CREATE_TAPE makes it possible to validate physical file names in Flexible Real Estate
Management (RE-FX). The following programs use this logical file name:
● RFRESCMLTAPE
● RFRESCMLTAPECO
● RFRESCSETTLE
● RFRESCSETTLESC
● RFRESCCONTINUE
● RFRESCBOOKING
● RFRESCSETTLCO
● RFRESCCONTINUECO
● RFRESCPOSTCO
Logical Path Names Used in Flexible Real Estate Management (RE-FX)
The logical file names of Flexible Real Estate Management (RE-FX) listed above all use the logical file path
REFX_ROOT.
Activating the Validation of Logical Path and File Names
The logical paths and file names are entered in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 219the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
13.3.6.2 Deletion of Personal Data in RE-FX
Use
The Flexible Real Estate Management (RE-FX) component might process data (personal data) that is
subject to the data protection laws applicable in specific countries. You can use SAP Information Lifecycle
Management (ILM) to control the blocking and deletion of personal data. For more information, see the product
assistance for SAP S/4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product
Assistance Cross Components Data Protection .
Relevant Archiving Objects
Table 110:
Archiving Object Technical Name
Architectural Object REFX_AO
Adjustment Measure REFX_AT
Business Entity REFX_BE
Buildings REFX_BU
Comparative Group of Apartments REFX_CG
Real Estate Contract REFX_CN
Cash Flow of Contracts REFX_CNCF
Joint Liability REFX_JL
Land Register REFX_LR
RE: Move Planning REFX_MP
Notice of Assessment REFX_NA
Contract Offer REFX_OF
Offered Object REFX_OO
Option Rate Determination per Object/Subobject REFX_OR
Security Guide for SAP S/4HANA 1709
220 P U B L I C SAP S/4HANA Business ApplicationsArchiving Object Technical Name
Other Public Register REFX_PE
Participation Group REFX_PG
Parcel of Land REFX_PL
Property REFX_PR
RE Document REFX_RADOC
Parcel Update REFX_RC
Rental Object REFX_RO
Cash Flow of Rental Objects REFX_ROCF
RE Search Request REFX_RR
Reservation REFX_RS
Recurring Reservation REFX_RSREC
Service Charge Settlement REFX_SCSE
Settlement Unit REFX_SU
Correction Object REFX_TC
Available Check
Implemented Solution: End of Purpose (EoP) check
For more information, see SAP Note 2134204 .
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection.
13.3.7 Receivables Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 22113.3.7.1 SAP Credit Management
13.3.7.1.1 Technical System Landscape
Use
This figure shows an overview of the technical system landscape for SAP Credit Management.
Figure 3: Technical System Landscape
To exchange messages with external information providers, you have to use the Integration Server. For
accounting systems as well as Sales and Distribution (SD) systems, you can configure the communication either
via the Integration Server or via a point to point connection using Web Services Reliable Messaging (WSRM). The
SAP Business Information Warehouse is connected via Remote Function Call (RFC).
For more information about recommended security zone settings, see SAP NetWeaver Security Guide (Complete)
on SAP Service Marketplace at service.sap.com/securityguide.
For SAP Credit Management the business package for the Credit Manager provides you with portal content so that
you can use the functions from SAP Credit Management in the portal. Security-relevant information about the use
of the portal content is available in the SAP NetWeaver Security Guide for the usage types Enterprise Portal Core
(EPC) and SAP Enterprise Portal (EP) in the portal security guide.
13.3.7.1.2 Security Aspects of Data, Data Flow, and Processes
This figure shows an example of a data flow for the SAP Credit Management application.
Security Guide for SAP S/4HANA 1709
222 P U B L I C SAP S/4HANA Business ApplicationsFigure 4:
This table shows the security aspect to be considered for the process step and what mechanism applies.
Table 111:
Step Description Security Measure
1 User enters order User types: dialog or internet user
2 Credit check request Communication protocol HTTPS or
HTTP
3 Request external rating Communication protocol HTTPS or
HTTP
4 Call up information provider Communication protocol HTTPS or
HTTP
5 Provide external rating Not applicable
6 Use and store external rating Not applicable
7 Credit check response Communication protocol HTTPS or
HTTP
8 Inform user Not applicable
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 22313.3.7.1.3 User Management
Standard Users
This table shows the standard users that are necessary for operating SAP Credit Management.
Table 112:
System User ID Type Password Description
SAP Credit For example, Communication user You specify the initial This is required for
Management, client CREDITXIUSER password during the in communication be
systems stallation. tween SAP Credit
Management and client
The user ID and pass
systems using the XI
word are stored in the
channel.
XI channel for the con
nection.
You need to create this user before XI configuration. Assign both roles SAP_FIN_FSCM_CR_USER and
SAP_XI_IS_SERV_USER to the user. The user and password are added to the XI channel logon data that you
create when you configure your exchange server.
13.3.7.1.4 Authorizations
Business Role
This table shows the business role used by SAP Credit Management.
Table 113:
Role Description
SAP_BR_CREDIT_CONTROLLER Credit Controller
The authorization objects for role SAP_BR_CREDIT_CONTROLLER are described in the following section.
Defining Authorizations
You can control the right of access to SAP Credit Management data by assigning authorizations – separately by
credit segment and activity - to the authorization object F_UKM_SGMT. The fields of this authorization object are:
● Credit Segment
● Activity, with the following definitions:
○ 01 Add or Create
Security Guide for SAP S/4HANA 1709
224 P U B L I C SAP S/4HANA Business Applications○ 02 Change
○ 03 Display
○ 06 Delete
○ 08 Display Change Documents
○ 43 Release
The business role SAP_BR_CREDIT_CONTROLLER is delivered with all authorizations to this authorization object.
You can restrict the access to credit segment-independent master data of SAP Credit Management (for example,
the score) by using the authorization object for business partner roles (B_BUPA_RLT) with the role Business
Partner Credit Management (UKM000).
You can restrict the access to logs (application logs) of SAP Credit Management using the authorization object
S_APPL_LOG. The fields of this authorization object are:
● Application Log Object Name
● Application Log Subobject
● Activity, with the definitions
○ 03 Display
○ 06 Delete
For SAP Credit Management, the following forms are relevant for object name and subobject:
Table 114:
Object Name Subobject Meaning
FIN-FSCM-CR BW-SCORING Transfer of score from BW
FIN-FSCM-CR COMMITMENT Credit exposure update
FIN-FSCM-CR CREDITCHECK Credit check
FIN-FSCM-CR MONITOR Update entries for external credit Infor
mation
FIN-FSCM-CR SEARCH_ID Search ID at credit information provider
FIN-FSCM-CR REPLICATE Replicate FI-CA score
FIN-FSCM-CR EVENTING Log of events occurred
FIN-FSCM-CR-MASS ERROR Logs of mass changes, can be differenti
ERROR_BIG ated by the severity of the error
ERROR_PROG
ERROR_UPD
INFO
STATISTICS
SUCCESS
WARNING
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 225Procedure
You can organize the authorizations of your users as follows:
Table 115:
Activities Authorization Activity
Restrict access to one or more credit F_UKM_SGMT with specified credit seg
segments ment
Edit master data F_UKM_SGMT 01
02
03
Display master data F_UKM_SGMT 03
Delete master data F_UKM_SGMT 06
Display change documents for master F_UKM_SGMT 08
data changes
Release and reject credit limit changes/ F_UKM_SGMT 43
increases requested (dual control princi
ple)
Edit and display master data of SAP B_BUPA_RLT with the business partner
Credit Management role UKM000
Display and/or delete application logs of S_APPL_LOG with the object names and 03
SAP Credit Management subobjects listed above 06
13.3.7.1.5 Communication Destinations
Use
This table shows an overview of the communication destinations used by SAP Credit Management.
Table 116: Connection Destinations when Using the Integration Server
Destination Delivered Type User, Authorizations
INTEGRATION_SERVER No RFC XIAPPLUSER
Role
SAP_XI_APPL_SERV_USER
LCRSAPRFC No RFC
Security Guide for SAP S/4HANA 1709
226 P U B L I C SAP S/4HANA Business ApplicationsDestination Delivered Type User, Authorizations
SAPSLDAPI No RFC
These destinations are not application-specific but they are required for the operation of SAP Process Integration.
For point to point connections via Web Services Reliable Messaging (WSRM), you use the SOA Manager in both
systems to create the logical port and the endpoint.
13.3.7.1.6 Data Storage Security
Use
Master and transaction data of SAP Credit Management are saved in the database of the SAP system in which
SAP Credit Management is installed. They are not distributed to connected systems via XI, however they can be
optionally extracted to SAP Business Information Warehouse.
Access to this data is restricted through the authorizations for authorization object F_UKM_SGMT. Authorizations
for this authorization object are provided for role SAP_FIN_FSCM_CR_USER in the standard delivery; you can copy
the role and adapt it as required. For more information about authorization object F_UKM_SGMT, see the
configuration guide of SAP Credit Management.
Access to data on natural persons in particular is subject to data protection requirements and must be restricted
by assigning authorizations.
13.3.7.1.7 Security-Relevant Logging and Tracing
Use
All changes to the master data of SAP Credit Management are recorded as change documents in the business
partner record. Changes automatically executed by the system as a follow-on process to an event appear under
the name of the communication user if the event was triggered by an XI message.
Example
A credit check is initiated by SD; the system detects that the validity date of the credit limit has expired and
determines a new credit limit on the basis of the Customizing settings.
13.3.7.2 SAP Dispute Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 22713.3.7.2.1 Technical System Landscape
Use
You can use SAP Dispute Management in a one-system scenario or in a multiple-system scenario. If you use SAP
Dispute Management in a one-system scenario, this means that you use SAP Dispute Management in the same
system as Accounts Receivable. In a multiple-system scenario, you run SAP Dispute Management in a separate
system. This communicates with the Accounts Receivable system connected by means of synchronous and
asynchronous BAPI calls and dialog calls.
The figure below shows an overview of the technical system landscape for SAP Dispute Management in a one-
system scenario.
The figure below shows an overview of the technical system landscape for SAP Dispute Management in a multiple-
system scenario.
Security Guide for SAP S/4HANA 1709
228 P U B L I C SAP S/4HANA Business ApplicationsFor SAP Dispute Management, with Business Package for Dispute Manager you can also use portal content to use
the functions of SAP Dispute Management in the portal. For security-relevant information about using the portal
content, see the SAP NetWeaver Security Guide for the usage types Enterprise Portal Core (EPC) and Enterprise
Portal (EP) in the Portal security guide.
13.3.7.2.2 Security Aspects of Data, Data Flow and Processes
The figure below shows an example of the data flow that occurs when you create a dispute case in a multiple-
system scenario:
The table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 117:
Step Description Security Measure
1 User starts FI transaction (for example, User type: dialog user
FB03 for document display orFBL5N for
line item list)
2 Dispute case is created asynchronously User type: technical user or in the case
(IDoc/ALE) of use of the Trusted/Trusting connec
tion, dialog user (see also User Manage
ment [page 230] )
As already mentioned under Technical System Landscape [page 228] , SAP Dispute Management uses BAPI calls
(IDocs) asynchronously for the data flow between the Accounts Receivable system and the Dispute Case
Processing system . The following IDocs are affected:
● Sending system: Accounts Receivable Accounting, receiving system: Dispute Case Processing
○ AttributesChange
○ Create
○ Process
● Sending system: Dispute Case Processing, receiving system: Accounts Receivable Accounting
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 229○ AttributeSynchronize
○ StatusChanged
○ WriteOff
If you are using SAP Dispute Management in a one-system scenario, synchronous BAPI calls are used instead.
13.3.7.2.3 User Management
User Administration Tools
The table below shows the user management tools for SAP DisputeManagement .
Table 118: User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance with For more information, see User and Role
SAPNetWeaver AS ABAP (transactions Administration of Application Server
SU01 and PFCG ) ABAP in the SAP NetWeaver documen
tation.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that users who perform their tasks interactively have to change their passwords on a regular basis, but not
those users who perform their tasks using background processing.
The user types that are required for SAP Dispute Management include:
● Individual users:
○ For each individual user in your system, you need dialog users for the following purposes:
○ To use the system via SAP GUI for Windows
○ If you use SAPDisputeManagement in a multiple system scenario and the RFC destinations used use a
Trusted/Trusting system relationship, calls to the other system are performed using the current user
from the calling system. Therefore, for each user a valid user must also exist in the target system.
● Technical users:
○ Background users can be used for processing in the background.
○ If you use SAPDisputeManagement in a multiple system scenario and the RFC destinations concerned are
configured such that they do not use a Trusted/Trusting system relationship, you need the following
technical users for the RFC destinations:
○ Communication users are used for synchronous and asynchronous BAPI calls (IDocs).
○ Dialog users are used for dialog calls that take place remotely in the other system.
For more information about these user types, see under User Types in the Security Guide for SAP NetWeaver AS
ABAP .
Security Guide for SAP S/4HANA 1709
230 P U B L I C SAP S/4HANA Business ApplicationsStandard Users
If you use SAP Dispute Management in a multiple system scenario and there is no Trusted/Trusting system
relationship between the systems involved, you have to configure corresponding users for the RFC
communication between the systems involved.
Note that in SAP Dispute Management , asynchronous BAPI calls, synchronous BAPI calls, and dialog calls take
place between the systems involved. There are calls from the Dispute Case Processing system to the system for
Accounts Receivable Accounting and vice versa.
The table below shows the users required if you use SAP Dispute Management in a multiple system scenario and
there is no Trusted/Trusting system relationship between the systems involved.
Table 119: Standard Users
System User ID Type Password Description
System for Dispute Example: ALERE Communication users The user ID and pass These users are used
Case Processing MOTE1_COM word are stored in the when synchronous or
RFC destination for the asynchronous BAPI
connection. methods are called
from the Accounts Re
ceivable system in the
Dispute Case Process
ing system.
System for Dispute Example: ALERE Dialog users The user ID and pass This user is used for di
Case Processing MOTE1_DIA word are stored in the alog calls from the Ac
RFC destination for the counts Receivable Ac
connection. counting system in the
Dispute Case Process
ing system.
Accounts Receivable Example: ALERE Communication users The user ID and pass These users are used
Accounting system MOTE2_COM word are stored in the when synchronous or
RFC destination for the asynchronous BAPI
connection. methods are called
from the Dispute Case
Processing system in
the Accounts Receiva
ble system.
Accounts Receivable Example:ALERE Dialog users The user ID and pass This user is used for di
Accounting system MOTE2_DIA word are stored in the alog calls from the Dis
RFC destination for the pute Case Processing
connection. system in the Accounts
Receivable Accounting
system.
Create the users and enter them in the corresponding RFC destinations. You can assign user IDs as required. The
user IDs above are merely examples.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 23113.3.7.2.4 Authorizations
Standard Roles:
The table below shows the standard roles used by SAP Dispute Management .
Table 120:
Role Description
SAP_FIN_FSCM_DM_USER FSCM Dispute Management - Processor
● One-system and multiple-system scenario Contains the authorizations that an end user requires in Dis
pute Case Processing.
SAP_FIN_FSCM_DM_RFC_COMM RFC user (communication) in Dispute Case Processing
● Multiple-system scenario Contains the authorizations required by a user to call synchro
nous and asynchronous BAPI methods from the Accounts Re
ceivable system in the Dispute Case Processing system.
Examples of such methods are creating dispute cases from
Accounts Receivable and automatically changing dispute
cases using clearing transactions in Accounts Receivable.
SAP_FIN_FSCM_DM_RFC_DIALOG RFC user (dialog) in Dispute Case Processing
● Multiple-system scenario Contains the authorizations for a user with which the DISPLAY
method is called in the Dispute Case Processing system from
the Accounts Receivable system by RFC. The role contains
the authorizations necessary for displaying the dispute case.
SAP_FIN_FSCM_DM_AR_DIALOG Role for Functions of Accounts Receivable
● One-system scenario Contains authorizations required by end users in Dispute
Case Processing so that they can call Accounts Receivable
functions in Dispute Case Processing.
Examples of such functions are including open items in a dis
pute case and navigating from a dispute case to a linked line
item.
SAP_FIN_FSCM_DM_AR_RFC_DIALOG RFC user (dialog) in Accounts Receivable
● Multiple-system scenario Contains the authorizations required by a user to call SAP
Dispute Management dialog methods using RFC from the Dis
pute Case Processing system in the Accounts Receivable sys
tem.
Examples of such methods are including open items in a dis
pute case and navigating from a dispute case to a linked line
item.
Security Guide for SAP S/4HANA 1709
232 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_FIN_FSCM_DM_AR_RFC_COMM RFC user (communication) in Accounts Receivable
● Multiple-system scenario Contains the authorizations required by a user to call SAP
Dispute Management synchronous and asynchronous BAPI
methods from the Dispute Case Processing system in the Ac
counts Receivable system.
Examples of such methods are the automatic write off of dis
pute cases and automatic notification of Accounts Receivable
when confirming and voiding cases.
SAP_FIN_FSCM_DM_DIALOG Role for functions of Dispute Case Processing
● One-system scenario Contains authorizations required by end users in Accounts
Receivable so that they can call Dispute Case Processing
functions in Accounts Receivable.
Examples of such functions are creating/displaying dispute
cases from transactions in Accounts Receivable and automat
ically changing dispute cases using clearing transactions in
Accounts Receivable.
SAP_BC_CM_ADMINISTRATOR Administrator in Case Management
● One-system and multiple-system scenario Since the component Case Management represents the basis
of SAP Dispute Management, you also require special Case
Management authorizations when setting up SAP Dispute
Management. These are included in this role.
13.3.7.2.5 Communication Destinations
Use
The following table shows an overview of the communication destinations used by SAP Dispute Management .
Table 121:
Destination Delivered Type User, Authorizations Description
Example: No RFC Under Authorizations This destination is used
DM2FIN_DIAG [page 232] , you can for dialog calls that take
see the roles for dialog place from the Dispute
users that you need for Case Processing sys
dialog calls that take tem to the Accounts
place from the Dispute Receivable system by
Case Processing sys means of RFC.
tem to the Accounts
Receivable system.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 233Destination Delivered Type User, Authorizations Description
Example: No RFC Under Authorizations This destination is used
DM2FIN_COMM [page 232] , you can for synchronous and
see the roles for com asynchronous (IDocs)
munication users that BAPI calls that take
you need for synchro place from the Dispute
nous and asynchro Case Processing sys
nous BAPI calls that tem to the Accounts
take place from the Dis Receivable system.
pute Case Processing
system to the Accounts
Receivable system.
Example: No RFC Under Authorizations This destination is used
FIN2DM_DIAG [page 232] , you can for dialog calls that take
see the roles for dialog place from the Ac
users that you need for counts Receivable sys
dialog calls that take tem to the Dispute
place from the Ac Case Processing sys
counts Receivable sys tem by means of RFC.
tem to the Dispute
Case Processing sys
tem.
Example: No RFC Under Authorizations This destination is used
FIN2COL_COMM [page 232] , you can for synchronous and
see the roles for com asynchronous (IDocs)
munication users that BAPI calls that take
you need for synchro place from the Ac
nous and asynchro counts Receivable sys
nous BAPI calls that tem to the Dispute
take place from the Ac Case Processing sys
counts Receivable sys tem.
tem to the Dispute
Case Processing sys
tem.
You can assign names for your RFC destinations as required. The names of the RFC destinations used above are
merely examples.
When you set up the RFC destinations for the ALE scenario, check whether the option of trusted/trusting system
relationship is relevant for you. Using an RFC trusted/trusting system relationship between two SAP systems
means that in the case of an RFC (Remote Function Call) from the trusted to the trusting system, no password is
sent for the logon to the trusting system. You can configure the RFC destinations in such a way that the call in the
target system occurs with the current user from the calling system without a password being specified or entered
on the logon screen. This has the following advantages, for example:
● When changes to objects or data are logged in the called system, this logging takes place with the current
user from the calling system. This makes it easier to track changes that occurred through RFC.
Security Guide for SAP S/4HANA 1709
234 P U B L I C SAP S/4HANA Business Applications● You can assign individual authorizations to the users in the called system. As such you can differentiate which
actions or functions are accessible to the user in the called system irrespective of the user.
With this procedure, you must create the users that are to be allowed to execute using RFC functions in the called
system as well. Note that in the ALE scenario of SAP Dispute Management, RFC calls take place from the
Accounts Receivable system to the Dispute Case Processing system and vice versa. A trust relationship between
SAP systems is not mutual. This means that you can choose whether one system is to be designated as trusted
for the other system and vice versa, or whether you want to define the trust relationship only in one direction.
In the Customizing of ALE (Application Link Enabling), you can also define different RFC destinations for dialog
calls, for BAPI calls, and for sending IDocs. As such you can also define an RFC destination for the dialog calls that
use the trusted/trusting system relationship and use the current user from the calling system for the RFC calls in
the target system, whilst you define an RFC destination for BAPI calls and for the sending of IDocs that does not
use the trusted/trusting system relationship and in which you enter a communication user.
Note
Note the following if your Accounts Receivable system is known as a trusted system by the Dispute Case
Processing system and you want to configure the RFC destination used for sending IDocs so that it uses the
trusted/trusting system relationship and the RFC calls in the target system with the current user from the
calling system:
IDocs are sent to the Dispute Case Processing system from the Accounts Receivable system when items are
cleared in the Accounts Receivable system, the clearing of items is reset, or partial payments are executed on
items for which a promise to pay exists for the corresponding invoice. If the corresponding RFC destination
uses the trusted/trusting system relationship, and carries out the call in the target system with the current
user from the calling system, this means that the user triggering the clearing, reset of clearing, or partial
payment must also be defined in the Dispute Case Processing system. You must therefore create all users who
carry out clearings, reversals of clearings, or partial payments in the Accounts Receivable system, and
therefore affect dispute cases, in the Dispute Case Processing system.
13.3.7.2.6 Data Storage Security
Use
Master data, transaction data, and Customizing data of SAP Dispute Management is stored in the database of the
SAP system.
Access to the database is restricted by the authorization objects of SAP Dispute Management . To see the
authorization objects relevant in SAP Dispute Management , see the roles listed under Authorizations [page 232] .
13.3.7.3 SAP Collections Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 23513.3.7.3.1 Technical System Landscape
Use
You can use SAP Collections Management in a one-system scenario or in a multiple-system scenario. If you use
SAP Collections Management in a one-system scenario, this means that you use Collections Management in the
same system as Accounts Receivable. In a multiple-system scenario, you run Collections Management in a
separate system. This communicates with the Accounts Receivable system connected by means of synchronous
and asynchronous RFC calls and dialog calls.
The figure below shows the technical system landscape in a one-system scenario:
The following figure shows the technical system landscape in a multiple-system scenario:
Security Guide for SAP S/4HANA 1709
236 P U B L I C SAP S/4HANA Business ApplicationsIf you connect several FI systems in a multiple-system scenario but have not installed a central system for
processing customer master data, then you can resolve conflicts when assigning numbers with the connection of
Unified Key Mapping Service to SAP NetWeaver Process Integration (UKMS connection to SAP NetWeaver PI).
The figure below shows the technical system landscape in a multiple-system scenario with several FI systems:
For additional information, see the SAP NetWeaver library under Business Services Unified Key Mapping
Service Connection to SAP NetWeaver Process Integration .
13.3.7.3.2 Security Aspects of Data, Data Flow and Processes
The following sections show an overview of the data flow in a multiple-system scenario.
13.3.7.3.2.1 Transfer of Transaction Data
The figure below shows the transfer of transaction data, meaning FI items, from the Accounts Receivable (FI-AR)
system to the Collections Management system. This is data that the system needs for creating the worklists.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 237The table below shows the security aspect to be considered for the process step and what mechanism applies.
Table 122:
Step Description Security Measure
1 The administrator schedules the job. User type: Dialog user
2 Program FDM_COLL_SEND_ITEMS User type: Technical user or, when the
transfers the FI items (IDoc/ALE) Trusted/Trusting connection is used, di
alog user (see also )
Security Guide for SAP S/4HANA 1709
238 P U B L I C SAP S/4HANA Business Applications13.3.7.3.2.2 Processing of Items in the Worklist
The figure below shows how a collection specialist processes an item in his worklist, so creating a promise to pay.
The table below shows the security aspect to be considered for the process step and what mechanism applies.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 239Table 123:
Step Description Security Measure
1 The collection specialist call up the work User type: Dialog user
list (transaction UDM_SPECIALIST)
2 He then navigates to receivables proc User type: Dialog user
essing (synchronous RFC connection)
3 He creates a promise to pay with asyn User type: Technical user or, when the
chronous BAPI (IDoc/ALE) Trusted/Trusting connection is used, di
alog user
13.3.7.3.3 User Management
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that users who perform their tasks interactively have to change their passwords on a regular basis, but not
those users who perform their tasks using background processing.
The user types that are required for SAP Collections Management include:
● Individual users:
○ For each individual user in your system, you need dialog users for the following purposes:
○ To use the system via SAP GUI for Windows
○ If you use SAP Collections Management in a multiple system scenario and the RFC destinations used
use a Trusted/Trusting system relationship, calls to the other system are performed using the
current user from the calling system. Therefore, for each user a valid user must also exist in the
target system.
● Technical users:
○ Background users can be used for processing in the background.
○ If you use SAP Collections Management in a multiple system scenario and the RFC destinations
concerned are configured such that they do not use a Trusted/Trusting system relationship, you need
the following technical users for the RFC destinations:
○ Communication users are used for synchronous and asynchronous BAPI calls (IDocs).
○ Dialog users are used for dialog calls that take place remotely in the other system.
Standard Users
If you use SAP Collections Management in a multiple system scenario and there is no Trusted/Trusting system
relationship between the systems involved, you have to configure corresponding users for the ALE/RFC
communication between the systems involved.
Security Guide for SAP S/4HANA 1709
240 P U B L I C SAP S/4HANA Business ApplicationsNote that in SAP Collections Management, asynchronous BAPI calls (IDocs), synchronous BAPI calls, and dialog
calls take place between the systems involved. There are calls from the Collections Management system to the
system for Accounts Receivable Accounting and vice versa.
The following table shows the standard users required if you use SAP Collections Management in a multiple
system scenario and there is no Trusted/Trusting system relationship between the systems involved.
Table 124:
System User ID Type Password Description
Collections Manage Example: ALE-DIAG1 Dialog users The user ID and pass This user is used for di
ment system word are stored in the alog calls from the Ac
RFC destination for the counts Receivable Ac
connection. counting system in the
Collections Manage
ment system.
Collections Manage Example: ALE-COMM1 Communication users The user ID and pass This user is used for
ment system word are stored in the synchronous BAPI calls
RFC destination for the or asynchronous BAPI
connection. calls (IDocs) from the
Accounts Receivable
Accounting system in
the Collections Man
agement system.
Accounts Receivable Example: ALE-DIAG2 Dialog users The user ID and pass This user is used for di
Accounting system word are stored in the alog calls from the Col
RFC destination for the lections Management
connection. system in the Accounts
Receivable Accounting
system.
Accounts Receivable Example: ALE-COMM2 Communication users The user ID and pass This user is used for
Accounting system word are stored in the synchronous BAPI calls
RFC destination for the or asynchronous BAPI
connection. calls (IDocs) from the
Collections Manage
ment system in the Ac
counts Receivable Ac
counting system.
Create the users required and enter them in the corresponding RFC destinations. You can assign user IDs as
required. The user IDs above are merely examples.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 24113.3.7.3.4 Authorizations
SAP Collections Management uses the authorization concept provided by SAPNetWeaver. Therefore, the security
guidelines and recommendations as described in the SAP NetWeaver AS Security Guide ABAP also apply to SAP
Collections Management .
The SAPNetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance inSAP NetWeaver, use the profile generator (transaction PFCG ).
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles:
Table 125:
Role Description
SAP_FIN_FSCM_COL_SPECIALIST Collection Specialist
● One-system and multiple-system scenario Contains the authorizations that the collection specialist
needs to perform the activities in his task area.
For example:
● Calling the worklist
● Displaying the business partner in SAP Collections
Management
● Navigating to Process Receivables
● Creating contact persons in Collections Management
● Creating promises to pay and dispute cases
● Creating and changing customer contacts
● Creating and changing resubmissions
Security Guide for SAP S/4HANA 1709
242 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_FIN_FSCM_COL_MANAGER Collection Manager
● One-system and multiple-system scenario Contains the authorizations that the collection manager
needs to perform the activities in his task area.
In addition to all authorizations of the collection specialist (role
SAP_FIN_FSCM_COLL_SPECIALIST), this covers the follow
ing actions, for example:
● Definition of collection strategies
● Definition of collection groups
● Assignment of a strategy to a group
● Change the role of the business partner specific to SAP
Collections Management
● Overview of several worklists
● Distribution of worklist items to the collection specialists
SAP_FIN_FSCM_COL_ADMIN Collections Management Administrator
● One-system and multiple-system scenario Contains the authorizations that a user in the Collections
Management system needs to start and monitor programs
that run periodically and preferably in the background.
For example:
● Worklist generation
● Distribution of worklist items to the collection specialists
● Mass change of the role of the business partner specific
to SAP Collections Management
● Monitoring of parallel runs
● Deleting Completed Resubmissions
SAP_FIN_FSCM_COL_DIALOG Role for promise to pay functions
● One-system scenario Contains authorizations required by end users in Accounts
Receivable so that they can call promise to pay functions in
Accounts Receivable.
Examples are:
● Creating, displaying, and changing promises to pay from
receivables processing in Accounts Receivable
● Automatic change of promises to pay as a result of clear
ing transactions in Accounts Receivable
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 243Role Description
SAP_FIN_FSCM_COL_RFC_DIALOG RFC user (dialog) for collections management functions
● Multiple-system scenario Contains authorizations for a user with which dialog methods
are called in the SAP Collections Management system from
the Financial Accounting system by means of RFC.
For example, navigation from receivables processing to the
detail display of the promise to pay or dispute case.
SAP_FIN_FSCM_COL_RFC_COMM RFC user (communication) for collections management
● Multiple-system scenario Contains authorizations for a user with which synchronous
and asynchronous methods are called in the SAP Collections
Management system from the Financial Accounting system.
For example:
● Posting of IDocs with data from Financial Accounting
● Creation of dispute cases, promises to pay, customer
contacts, and resubmissions
● Reading of attributes of dispute cases, promises to pay,
customer contacts, and resubmissions for display in re
ceivables processing
SAP_FIN_FSCM_COL_AR_USER End user in Receivables Processing
● One-system and multiple-system scenario Contains the authorizations required by an end user in receiv
ables processing in Accounts Receivable.
This role is in the Accounts Receivable system.
SAP_FIN_FSCM_COL_AR_RFC_COMM RFC user (communication) in Accounts Receivable
● Multiple-system scenario Contains authorizations for a user with which synchronous
and asynchronous methods are called from the SAP
Collections Management system in the Financial Accounting
system.
An example of such a method is the automatic notification to
Accounts Receivable when promises to pay are confirmed and
voided.
SAP_FIN_FSCM_COL_AR_ADMIN Collections Management Administrator Financial Accounting
● One-system and multiple-system scenario Contains the authorizations that a user in the Accounts Re
ceivable system needs to start and monitor programs that run
periodically and preferably in the background.
For example, the transfer of data relevant for SAP Collections
Management from Accounts Receivable:
● Valuating promises to pay
● Automatic confirmation of promises to pay
Security Guide for SAP S/4HANA 1709
244 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_FIN_FSCM_COL_AR_RFC_DIALOG RFC user (dialog) in Receivables Processing
● Multiple-system scenario Contains the authorizations for a user with which the navigate
to receivables processing from the worklist by means of RFC.
The authorizations permit the following activities:
● Display of invoice data
● Display of payment data
● Display of invoice history
● Creation, change, or display of a contact person
13.3.7.3.5 Communication Destinations
Use
The following table shows an overview of the communication destinations that you need for SAP Collections
Management if you use it in a multiple-system scenario.
Table 126:
Destination Delivered Type User, Authorizations Description
Example: No RFC Under Authorizations This destination is used
COL2FIN_DIAG [page 242] , you can for dialog calls that take
see the roles for dialog place from the Collec
users that you need for tions Management sys
dialog calls that take tem to the Accounts
place from the Collec Receivable system by
tions Management sys means of RFC.
tem to the Accounts
Receivable system.
Example: No RFC Under Authorizations This destination is used
COL2FIN_COMM [page 242] , you can for synchronous and
see the roles for com asynchronous (IDocs)
munication users that BAPI calls that take
you need for synchro place from the Collec
nous and asynchro tions Management sys
nous BAPI calls that tem to the Accounts
take place from the Receivable system.
Collections Manage
ment system to the Ac
counts Receivable sys
tem.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 245Destination Delivered Type User, Authorizations Description
Example: No RFC Under Authorizations This destination is used
FIN2COL_DIAG [page 242] , you can for dialog calls that take
see the roles for dialog place from the Ac
users that you need for counts Receivable sys
dialog calls that take tem to the Collections
place from the Ac Management system
counts Receivable sys by means of RFC.
tem to the Collections
Management system.
Example: No RFC Under Authorizations This destination is used
FIN2COL_COMM [page 242] , you can for synchronous and
see the roles for com asynchronous (IDocs)
munication users that BAPI calls that take
you need for synchro place from the Ac
nous and asynchro counts Receivable sys
nous BAPI calls that tem to the Collections
take place from the Ac Management system.
counts Receivable sys
tem to the Collections
Management system.
Note
If you connect several FI systems in a multiple-system scenario and use the connection of Unified Key Mapping
Service to SAP NetWeaver Process Integration (UKMS connection to SAP NetWeaver PI ) to resolve conflicts
when assigning numbers, you also need to set up the following destinations:
● Calls from the of accounts receivable system to the system of SAP NetWeaver PI (PI system)
● Calls from the Collections Management system to the PI system
Note
For additional information about the security aspects of the CRM Middleware that you can use as a tool
for master data replication, see the Security Guide for SAP Customer Relationship Management .
For additional information, see Customizing of SAP Collections Management under Basic Settings for
Collections Management Business Partners Master Data Distribution for Several FI Systems , if you have
activated business function FSCM Functions 2 (FIN_FSCM_CCD_2).
You can assign names for your RFC destinations as required. The names of the RFC destinations used above are
merely examples.
When you set up the RFC destinations for the ALE scenario, check whether the option of trusted/trusting system
relationship is relevant for you. Using an RFC trusted/trusting system relationship between two SAP systems
means that in the case of an RFC (Remote Function Call) from the trusted to the trusting system, no password is
sent for the logon to the trusting system. You can configure the RFC destinations in such a way that the call in the
Security Guide for SAP S/4HANA 1709
246 P U B L I C SAP S/4HANA Business Applicationstarget system occurs with the current user from the calling system without a password being specified or entered
on the logon screen. This has the following advantages, for example:
● When changes to objects or data are logged in the called system, this logging takes place with the current
user from the calling system. This makes it easier to track changes that occurred through RFC.
● You can assign individual authorizations to the users in the called system. As such you can differentiate which
actions or functions are accessible to the user in the called system irrespective of the user.
With this procedure, you must create the users that are to be allowed to execute using RFC functions in the called
system as well. Note that in the ALE scenario of SAP Collections Management , RFC calls take place from the
Accounts Receivable system to the Collections Management system and vice versa. A trust relationship between
SAP systems is not mutual. This means that you can choose whether one system is to be designated as trusted
for the other system and vice versa, or whether you want to define the trust relationship only in one direction.
In the Customizing of ALE ( Application Link Enabling ), you can also define different RFC destinations for dialog
calls, for BAPI calls, and for sending IDocs. As such you can also define an RFC destination for the dialog calls that
use the trusted/trusting system relationship and use the current user from the calling system for the RFC calls in
the target system, whilst you define an RFC destination for BAPI calls and for the sending of IDocs that does not
use the trusted/trusting system relationship and in which you enter a communication user.
Note
Note the following if your Accounts Receivable system is known as a trusted system by the Collections
Management system and you want to configure the RFC destination used for sending IDocs so that it uses the
trusted/trusting system relationship and carries out the RFC calls in the target system with the current user
from the calling system:
IDocs are sent to the Collections Management system from the Accounts Receivable system when items are
cleared in the Accounts Receivable system, the clearing of items is reset, or partial payments are executed on
items for which a promise to pay exists for the corresponding invoice. If the corresponding RFC destination
uses the trusted/trusting system relationship, and carries out the call in the target system with the current
user from the calling system, this means that the user triggering the clearing, reset of clearing, or partial
payment must also be defined in the Collections Management system. You must therefore create all users who
carry out clearing, resets of clearing, or partial payments in the Accounts Receivable system, and therefore
affect promises to pay, in the Collections Management system.
13.3.8 SAP S/4HANA Financial Closing cockpit
13.3.8.1 Authorizations
The SAP S/4HANA Financial Closing cockpit uses the authorization concept provided by the SAP NetWeaver AS
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply to the SAP S/4HNA Financial Closing cockpit.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 247The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine''s
user administration console on the AS Java.
For more information about how to create roles, go to the SAP Help Portal and search for User and Role
Administration of Application Server ABAP. There, go to Configuration of User and Role Administration Role
Administration
Standard Roles
The table below shows the standard roles that are used by the SAP S/4HANA Financial Closing cockpit.
Table 127: Standard Roles
Role Description
SAP_FCC_ADMIN Authorizations for the template administrator role. This role
can define templates, task lists, and task groups but cannot
execute, schedule, or monitor any tasks.
SAP_FCC_MANAGER Authorizations for the closing manager role. This role can
change task lists and schedule, mass schedule, execute, and
monitor tasks but cannot create task lists from templates.
SAP_FCC_PROCESSOR Authorizations for the task processor role. This role can
schedule, execute, and monitor tasks but cannot maintain
anything.
SAP_FCC_AUDITOR Authorizations for the auditor role. This role can display all ob
jects in the closing but cannot maintain anything.
SAP_FCC_MENU Authorization for accessing the SAP S/4HANAFinancial
Closing cockpit using SAP NetWeaver Business Client
(NWBC).
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the SAP S/4HANA Financial
Closing cockpit.
Table 128: Standard Authorization Objects
Authorization Object Description
B_FCC_GEN Financial Closing cockpit: Application
Used for authorization check at the application level.
Security Guide for SAP S/4HANA 1709
248 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
B_FCC_TEMP Financial Closing cockpit: Template/Task List/Task Group
Used for authorization check at the template, task list, or task
group level.
B_FCC_ORG Financial Closing cockpit: Organizational Unit
Used for authorization check at the organizational unit level.
B_FCC_TASK Financial Closing cockpit: Task
Used for authorization check at the task level.
Authorizations for Business Intelligence (BI) iViews
BI authorizations are maintained separately from the authorizations in the SAP S/4HANA Financial Closing
cockpit. You need the standard BI authorizations for executing queries.
For more information, go to the SAP Help Portal and search for Data Warehouse Management. There, go to
Authorizations Authorizations for Working with Queries .
13.3.9 Travel Management
13.3.9.1 Travel Management
Authorizations
Table 129: Standard Roles in Travel Management (for Web Dynpro ABAP-Based Applications)
Role Description
SAP_FI_TV_WEB_TRAVELER_2 Traveler
The role contains the authorization profile needed to execute
the applications of the Travel and Expenses Employee Self-
Service (ESS) in SAP NetWeaver Portal.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 249Role Description
SAP_FI_TV_WEB_TRAVELER_EXT_TP Traveler
Users with this role can execute the work center for travelers
and the corresponding applications in NWBC. NWBC calls a
third-party travel planning solution instead of SAP Travel
Planning.
The role contains the authorization profile needed to execute
the applications of the Travel and Expenses ESS in SAP
NetWeaver Portal.
SAP_FI_TV_WEB_ESS_TRAVELER_2 ESS Single Role for Travelers
Users with this role can execute the work center for travelers
and the corresponding applications in NWBC.
This role is integrated into the ESS role for Web Dynpro ABAP-
based applications (SAP_EMPLOYEE_ESS_WDA_1).
SAP_FI_TV_WEB_ASSISTANT_2 Travel Assistant
Users with this role can execute the work center for travel as
sistants and the corresponding applications in NWBC.
The role contains the authorization profile needed to execute
the applications of the Travel and Expenses ESS in SAP
NetWeaver Portal.
SAP_FI_TV_WEB_ESS_ASSISTANT_2 Travel Assistant
Users with this role can execute the work center for travel as
sistants and the corresponding applications in NWBC.
SAP_FI_TV_WEB_APPROVER_2 Approving Manager
Users with this role can execute the work center for approving
managers and the corresponding applications in NWBC.
This role is integrated into the MSS role for Web Dynpro
ABAP-based applications (SAP_MANAGER_MSS_NWBC).
SAP_FI_TV_WEB_POLICY_ADMIN_2 Travel Policy Administrator
Users with this role can execute frequently used Customizing
applications for policy management in NWBC.
Security Guide for SAP S/4HANA 1709
250 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_FI_TV_TIC_AGENT Travel Interaction Center Agent
This role authorizes service agents to run the required trans
actions and Web Dynpro ABAP-based applications in the
Travel Management system from within the Travel Interaction
Center.
The Travel Interaction Center is a Shared Services Center in
SAP Customer Relationship Management (SAP CRM).
Authorization Profiles
The standard system contains the travel profile FI-TV (infotype 0470 of Human Resources Management (HCM)).
Alternatively, you can create the authorization profile by means of organizational assignment using the HR feature
TRVCP.
Authorization Objects
For all general functions, Travel Management uses the authorization object P_TRAVL.
The transfer of results from expense reports to accounting is protected by the authorization object F_TRAVL.
The travel plan status is protected by the authorization object F_TRAVL_S.
Network and Communication Security
In Travel Management, you can set up connections to the following global distribution systems (GDS):
● Amadeus
The partner is responsible for the Gateway.
● Galileo
The partner is responsible for the Gateway.
Alternatively or in addition, you can use SAP NetWeaver Process Integration to set up direct connections to the
following travel service providers:
● Flight reservation systems, for example, low-cost carrier providers
Depending on the partner, communication with the Web services is HTTPS or HTTP based.
● Hotel reservation systems such as HRS
Depending on the partner, communication with the Web services is HTTPS or HTTP based. For the
communication channel, you can make various security settings. For more information, see the Configuration
Guide.
● Rail portals such as Deutsche Bahn (BIBE)
Communication with the Web services is HTTPS based.
Alternatively, instead of using SAP Travel Planning, you can use third-party online booking systems (third-party
travel planning) such as:
● GetThere
Communication with the Web services of GetThere (and of Sabre, if applicable) is HTTPS based.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 251In SAP NetWeaver Portal, you can use Single Sign-On (SSO) to automatically log on the SAP Travel
Management users to a third-party online booking system.
● e-Travel
Communication with the Web services of e-Travel is HTTPS based.
In SAP NetWeaver Portal, you can use SSO to automatically log on the SAP Travel Management users to a
third-party online booking system.
For credit card clearing in Travel Management, you can use SAP NetWeaver Process Integration to set up direct
connections to credit card companies. You agree upon the safeguarding of the connection with the respective
partner. For more information, see SAP Library under Travel Management (FI-TV) Travel Expenses (FI-TV-
COS) Credit Card Clearing .
Data Storage Security
Travel Management transmits credit card information to the named partners. The data in the SAP system cannot
be accessed.
Travel Management supports secure handling of credit card data.
To set up connections to third-party systems, such as reservation systems, you might require company IDs and
user-specific technical passwords, which you can define in Customizing or in user-specific infotypes. In
Customizing, this data is protected by standard authorization objects for Customizing.
Travel Management imports data from files in the file system. Therefore, it is important to explicitly provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). You do this by specifying logical paths and file names in the system that are
assigned to the physical paths and file names. The system validates the assignment at runtime and issues an
error message if access to a directory is requested that does not match any assignment defined.
13.3.9.2 Deletion of Personal Data in FI-TV
Use
The Travel Management (FI-TV) component might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
For information, see SAP Note 2028594 .
Security Guide for SAP S/4HANA 1709
252 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application and Available WUC functionality
Table 130:
Application Implemented Solution Further Information
Travel Expenses (FI-TV-COS) Where-used check (WUC) SAP Note 2028595
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection.
13.4 Manufacturing
13.4.1 Production Engineering
13.4.1.1 Authorizations for Production BOM Management
Production BOM Management uses the authorization concept provided by the SAP NetWeaver for Application
Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 253Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 131:
Role Description
SAP_BR_PRODN_ENG_DISC Production Engineer - Discrete Manufacturing
During the product engineering phase, the product engineer
designs and develops products which involves the designing
of new products or product lines to take advantage of current
process technology and to improve quality and reliability. Or,
an existing product has to be changed due to changing market
or customer requirements. The result of this product phase is
drawings and a list of all the parts required to produce the
product. This list is the bill of material.
This business role is required for discrete manufacturing.
SAP_BR_PRODN_ENG_PROC Production Engineer - Process Manufacturing
The corresponding business role required for the process in
dustry.
SAP_BR_PRODN_ENG_DISC_CAM Production Engineer - Discrete Manufacturing (CAM)
Defines certifications required to work in a work center or
process a certain material to ensure that only certified pro
duction operators perform critical production operations. Also
defines production buyoffs.
SAP_BR_PRODN_ENG_DISC_EME Production Engineer - Discrete Manufacturing (EME)
Translates engineering BOMs into manufacturing BOMs and
creates detailed shop floor routings.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Security Guide for SAP S/4HANA 1709
254 P U B L I C SAP S/4HANA Business ApplicationsTable 132:
Authorization Object Field Value Description
C_STUE_BER ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
06 (Delete)
BEGRU Authorization Group
STLAN 1 (Production) BOM Usage
4 (Plant Maintenance)
STLTY M (Material BOM) BOM Category
C_STUE_NOH NOHIS Authorization to Edit BOMs
without a Change Number
C_STUE_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
CSWRK Plant
C_AENR_BGR ACTVT 22 (Enter, Include, Assign) Activity
BEGRU Authorization Group
C_AENR_ERW ACTVT 22 (Enter, Include, Assign) Activity
AEFUN Change Number Function
AENST Status of Change Number
BEGRU Authorization Group
RLKEY Release Key for Change Mas
ter
C_AENR_RV1 ACTVT 01 (Create or generate) Activity
C_TCLA_BKA KLART 023 (Batch) Class Type
C_DRAD_OBJ ACTVT Activity
DOKAR Document Type
DOKOB STKO_DOC Linked SAP Object
STPO_DOC
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 255Authorization Object Field Value Description
STATUS Document Status
13.4.1.2 Authorizations for Master Recipe/Routing
Management
Process and Master Recipe/Routing Management uses the authorization concept provided by the SAP
NetWeaver for Application Server ABAP. Therefore, the recommendations and guidelines for authorizations as
described in the SAP NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 133:
Role Description
SAP_BR_PRODN_ENG_DISC Production Engineer - Discrete Manufacturing
SAP_BR_PRODN_ENG_PROC Production Engineer - Process Manufacturing
SAP_BR_PRODN_ENG_DISC_CAM Production Engineer - Discrete Manufacturing (CAM)
Defines certifications required to work in a work center or
process a certain material to ensure that only certified pro
duction operators perform critical production operations. Also
defines production buyoffs.
SAP_BR_PRODN_ENG_DISC_EME Production Engineer - Discrete Manufacturing (EME)
Translates engineering BOMs into manufacturing BOMs and
creates detailed shop floor routings.
Security Guide for SAP S/4HANA 1709
256 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the role:
SAP_BR_PRODN_ENG_DISC (Production Engineer - Discrete Manufacturing).
Table 134:
Authorization Object Field Value Description
C_AENR_BGR ACTVT 22 (Enter, Include, Assign) Activity
BEGRU Authorization Group
C_AENR_ERW ACTVT 22 (Enter, Include, Assign) Activity
AEFUN Change Number Function
AENST Status of Change Number
BEGRU Authorization Group
RLKEY Release Key for Change Mas
ter
C_ARPL_ART AP_ART Work Center Category
C_ARPL_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
C_FVER_WRK ACTVT Activity
WERKS Plant
C_ROUT ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
PLNTY N (Routing) Task List Type
STATU Status
VERWE 1 (Production) Task List Usage
4 (Plant maintenance)
WERKS Plant
C_STUE_BER ACTVT 03 (Display) Activity
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 257Authorization Object Field Value Description
BEGRU Authorization Group
STLAN 1 (Production) BOM Usage
4 (Plant maintenance)
STLTY K (Order BOM) BOM Category
M (Material BOM)
S (Standard BOM)
C_TCLA_BKA KLART 018 (Task List Class) Class Type
019 (Work Center Class)
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the role:
SAP_BR_PRODN_ENG_PROC (Production Engineer - Process Manufacturing).
Table 135:
Authorization Object Field Value Description
C_AENR_BGR ACTVT 22 (Enter, Include, Assign) Activity
BEGRU Authorization Group
C_AENR_ERW ACTVT 22 (Enter, Include, Assign) Activity
AEFUN Change Number Function
AENST Status of Change Number
BEGRU Authorization Group
RLKEY Release Key for Change Mas
ter
C_ARPL_ART AP_ART Work Center Category
C_ARPL_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
Security Guide for SAP S/4HANA 1709
258 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
C_FVER_WRK ACTVT Activity
WERKS Plant
C_ROUT ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
PLNTY 2 (Master Recipe) Task List Type
STATU Status
VERWE 1 (Production) Task List Usage
4 (Plant maintenance)
WERKS Plant
C_STUE_BER ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BEGRU Authorization Group
STLAN 1 (Production) BOM Usage
4 (Plant maintenance)
STLTY D (Document Structure BOM Category
E (Equipment BOM)
K (Order BOM)
M (Material BOM)
S (Standard BOM)
T (Functional Location BOM)
C_STUE_NOH NOHIS Authorization to edit BOMs
without a change number
C_STUE_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
CSWRK Plant
Q_GP_CODE QCODEGRP Code Group
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 259Authorization Object Field Value Description
QKATART Catalog
Q_PLN_FEAT PLNTY Master Recipe Task List Type
13.4.2 Production Planning
13.4.2.1 Authorizations for Material Requirements Planning
Material Requirements Planning uses the authorization concept provided by the SAP NetWeaver for Application
Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 136:
Role Description
SAP_BR_MATL_PLNR_EXT_PROC Material Planner - External Procurement
SAP_BR_PRODN_PLNR Production Planner
Security Guide for SAP S/4HANA 1709
260 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the roles
SAP_BR_MATL_PLNR (Material Planner - External Procurement) and SAP_BR_PRODN_PLNR (Production
Planner).
Table 137:
Authorization Object Field Value Description
M_MTDI_ORG DISPO MRP Controller (Materialls
Planner)
MDAKT A (MRP: Current Stock/ Activity Types in Materials
Requirements List) Planning
R (MRP: current material
overview)
B (MRP: total planning)
E (MRP: single-item planning)
WERKS Plant
M_PLAF_ORG DISPO MRP Controller (Materialls
Planner)
MDAKT A (MRP: current stock/ Activity Types in Materials
requirements list) Planning
F (MRP: Firm Planned Order)
H (MRP: Create Planned Or
der)
S (MRP: MRP list, coll. dis
play/planned order coll. con
version)
U (MRP: planned order, indi
vidual conversion)
V (MRP: change planned or
der)
WERKS Plant
M_BANF_BSA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BSART Purchasing Document Type
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 261Authorization Object Field Value Description
M_BANF_EKG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKGRP Purchasing Group
M_BANF_EKO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKORG Purchasing Organization
M_BANF_LGO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
LGORT Storage Location
M_BANF_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
M_BEST_BSA ACTVT 03 (Display) Activity
BSART Purchasing Document Type
M_BEST_EKG ACTVT 03 (Display)
EKGRP Purchasing Group
M_BEST_EKO ACTVT 03 (Display) Activity
EKORG Purchasing Organization
M_BEST_LGO ACTVT 03 (Display) Activity
WERKS Plant
LGORT Storage Location
M_BEST_WRK ACTVT 03 (Display) Activity
Security Guide for SAP S/4HANA 1709
262 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
WERKS Plant
M_LPET_BSA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BSART Purchasing Document Type
M_LPET_EKG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKGRP Purchasing Group
M_LPET_EKO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKORG Purchasing Organization
M_LPET_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
C_AFKO_ATY ACTVT 01 (Create or generate) Activity
AUTYP 10 (Production order) Order Category
40 (Process order)
C_AFKO_AWA ACTVT 01 (Create or generate) Activity
AUTYP 10 (Production order) Order Category
40 (Process order)
AUFART Order Type
WERKS Plant
C_AFKO_AWK WERKS Plant
AUFART Order Type
V_VBAK_AAT AUART Sales Document Type
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 263Authorization Object Field Value Description
ACTVT 03 (Display) Activity
M_FCDM_ORG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
43 (Release)
WERKS Plant
DISPO MRP Controller (Material
Planner)
M_MTDI_ORG MDAKT P (MRP: create planning file Activity types in materials
entry) planning
WERKS Plant
DISPO MRP Controller (Material
Planner)
C_PPBD AKTTYP A (Display) Activity category in transac
tion (Cr/Ch/D)
H (Add)
V (Change)
WERKS Plant
S_PROGRAM P_GROUP PPH_MRP required for sched ABAP Program Authorization
uling MRP runs Group
PP_MRP1 required for sched
uling order conversion runs
P_ACTION BTCSUBMIT (Schedule pro User Action in ABAP Program
grams for background proc
essing)
SUBMIT (Execute ABAP pro
gram)
VARIANT (Edit variants and
execute ABAP program)
Security Guide for SAP S/4HANA 1709
264 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
S_BTCH_JOB JOBACTION DELE (Delete Background Job operations
Jobs)
RELE (Release Jobs (Re
leased Automatically When
Scheduled))
SHOW(Display Job Queue)
JOBGROUP Summary of jobs for a group
13.4.2.2 Authorizations for Production Planning and Detailed
Scheduling
Production Planning and Detailed Scheduling uses the authorization concept provided by the SAP NetWeaver AS
for ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver
AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 138:
Role Description
SAP_BR_PRODN_PLNR Production Planner
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 265Table 139:
Authorization Object Description
C_APO_PROD APO Authorization Object: Master Data, Products
C_APO_LOC APO Authorization Object: Master Data, Locations
C_APO_MALO APO Authorization Object: PP/DS, Location Product
C_APO_RES APO Authorization Object: Master Data, Resources
C_APO_RELO APO Authorization Object: PP/DS, Resource
C_APO_RESN APO Authorization Object: Master Data, Resource Network
C_APO_VERS APO Authorization Object: Planning Versions
C_APO_RTO APO Authorization Object: Production Data Structure
C_APO_PPL APO Authorization Object: PP/DS, Production Planner
C_APO_CAL APO Authorization Object: Planning Calendar
C_APO_PCM APO Authorization Object: Production Campaign (Manual)
C_APO_EXPR APO Authorization Object: External Procurement Relationships
C_APO_AMON APO Authorization Object: Alert Monitor
C_APO_SETM APO Authorization Object: Master Data, Setup Matrices
C_APO_SETG APO Authorization Object: Master Data, Setup Groups
C_APO_MATR APO Authorization Object: Rules for Setup Matrix Generation
C_APO_GRPR APO Authorization Object: Rules for Setup Group Generation
C_APO_PPC APO Authorization Object: Production Backflush
C_APO_SSA APO Authorization Object: Release Handling for Sales Scheduling Agreement
13.4.2.3 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
Production Planning and Detailed Scheduling saves data in files in the file system. Therefore, it is important to
explicitly provide access to the corresponding files in the file system without allowing access to other directories
or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the
system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
266 P U B L I C SAP S/4HANA Business ApplicationsThe data storage security of SAP NetWeaver and components installed on the base is described in the SAP
NetWeaver Security Guide. All business data in SAP PP/DS is stored in the system database. If SAP LiveCache is
used, some business data is also stored there. This business data is protected by the authorization concept of
SAP NetWeaver and SAP PP/DS. In some special cases, business-relevant data is stored in another location, such
as a file system. The special case is listed below:
Logical File Names Used
The following logical file name has been created in order to enable the validation of physical file names:
● SAP SCM Optimizer
Logical Path Names Used
The logical file names listed above all use the following logical file paths:
● :\usr\SAP\\\log (for Windows)
● \usr\sap\\\log (for Linux)
: Gateway ID on the SAP SCM Optimizer server
: Gateway number
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
13.4.3 Manufacturing Execution for Discrete Industries
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 26713.4.3.1 Authorizations for Production Processing
Production Processing uses the authorization concept provided by the SAP NetWeaver for Application Server
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 140:
Role Description
SAP_BR_PRODN_SUPERVISOR_DISC Production Supervisor - Discrete Manufacturing
SAP_BR_PRODN_SUPERVISOR_PROC Production Supervisor - Process Industry
SAP_BR_PRODN_OPTR_DISC Production Operator - Discrete Manufacturing
SAP_BR_PRODN_OPTR_PROC Production Operator - Process Industry
SAP_BR_PRODN_PROC_SPCLST_CAM Production Process Specialist (CAM)
Assigns certifications to production operators making sure
only certified production operators perform critical produc
tion operations. The process specialist also defines the buyoff
templates.
SAP_BR_PRODN_PROC_SPCLST_EPO Production Process Specialist (EPO)
Defines reason codes, hold codes, defect codes and so on.
SAP_BR_PRODN_SUPRVSR_DISC_CAM Production Supervisor - Discrete Manufacturing (CAM)
Performs buyoffs making sure the product meets quality cri
teria.
SAP_BR_PRODN_SUPRVSR_DISC_EPO Production Supervisor - Discrete Manufacturing (EPO)
Assigns production operators to work centers.
Security Guide for SAP S/4HANA 1709
268 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_BR_PRODN_OPTR_DISC_EPO Production Operator - Discrete Manufacturing (EPO)
Performs production operations as defined in the shop floor
routing and records production progress.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the role
SAP_BR_PRODN_SUPERVISOR_DISC Production Supervisor - Discrete Manufacturing.
Table 141:
Authorization Object Description
C_AFFW_TWK CIM: Reworking error records from autom. goods movements
C_AFKO_ATY CIM: Order category
C_AFKO_AWA CIM: Authorization for Prod.Order/Order Type/Plant/Activity
C_AFKO_AWK CIM: Plant for order type of order
C_AFRU_AWK CIM: Confirmation
C_FVER_WRK PP-PI: Production Version - Plant
C_KAPA_ABG CIM: Capacity leveling
M_PLAF_ORG Organization Levels for Planned Order Processing
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
C_NAV_PROF Navigation Profile
C_TCLA_BKA Authorization for Class Types
S_PROGRAM ABAP: Program Flow Checks
Field: P_GROUP and Value PP_SFC1 required to schedule or
der release runs
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 269Authorization Object Description
S_BTCH_JOB Background Processing: Operations on Background Jobs
M_MTDI_ORG Organizational Levels for Material Requirements Planning
M_MIPA_ORG Updating Backorders
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the role
SAP_BR_PRODN_SUPERVISOR_PROC Production Supervisor - Process Industry.
Table 142:
Authorization Object Description
S_BTCH_JOB Background Processing: Operations on Background Jobs
S_PROGRAM ABAP: Program Flow Checks
Field: P_GROUP and Value PP_SFC1 required to schedule or
der release runs
C_KLAH_BKP Authorization for Class Maintenance
C_TCLA_BKA Authorization for Class Types
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
M_PLAF_ORG Organization Levels for Planned Order Processing
C_AFFW_TWK CIM: Reworking error records from autom. goods movements
C_AFKO_ATY CIM: Order category
C_AFKO_AWA CIM: Authorization for Prod.Order/Order Type/Plant/Activity
C_AFKO_AWK CIM: Plant for order type of order
C_AFRU_AWK CIM: Confirmation
Security Guide for SAP S/4HANA 1709
270 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
C_CREC_WRK PP-PI: Control Recipe - Plant
C_FVER_WRK PP-PI: Production Version - Plant
C_KAPA_ABG CIM: Capacity leveling
C_STUE_BER CS BOM Authorizations
Q_CHAR_PRC Recording Authorization for Insp. Results in an Operation
Q_INSP_FIN Inspection Completion with Open Char./Insp.Pts Req. Conf.
Q_MATERIAL Material Authorization
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the roles
SAP_BR_PRODN_OPTR_DISC Production Operator - Discrete Industry and SAP_BR_PRODN_OPTR_PROC
Production Operator - Process Industry.
Table 143:
Authorization Object Description
C_TCAL_BKA Authorization for Class Types
C_NAV_PROF Navigation Profile
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
C_AFFW_TWK CIM: Reworking error records from autom. goods movements
C_AFKO_ATY CIM: Order category
C_AFKO_AWA CIM: Authorization for Prod.Order/Order Type/Plant/Activity
C_AFKO_AWK CIM: Plant for order type of order
C_CFRU_AAWK CIM: Confirmation
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 271Authorization Object Description
C_FVER_WRK PP-PI: Production Version - Plant
C_KAPA_ABG CIM: Capacity leveling
13.4.3.2 Authorizations for Repetitive Manufacturing
Repetitive Manufacturing uses the authorization concept provided by the SAP NetWeaver for Application Server
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 144:
Role Description
SAP_BR_PRODN_SUPERVISOR_RPTV Production Supervisor: Repetitive Manufacturing
SAP_BR_PRODN_OPTR_RPTV Production Operator: Repetitive Manufacturing
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for the role
SAP_BR_PRODN_SUPERVISOR_RPTV (production supervisor).
Security Guide for SAP S/4HANA 1709
272 P U B L I C SAP S/4HANA Business ApplicationsTable 145:
Authorization Object Field Value Description
C_KAPA_ABG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
06 (Delete)
16 (Execute)
C_SAFK MDAKT V (MRP: Change planned or Activity types in materials
der) planning
WERKS Plant
T_TCLA_BKA KLART 013 Class type
M_MIPA_ORG ACTVT 03 (Display) Activity
WERKS Plant
The table below shows the security-relevant authorization objects that are used for the role
SAP_BR_PRODN_OPTR_RPTV (production operator).
Table 146:
Authorization Object Field Value Description
C_BACKFL BF_CANCEL X (Yes) Reversing backflushes
BF_CONCLU 1 (Decoupled confirmation) Final postings
2 (Postprocessing)
BF_POST 1 (Post without correction) Authorization for posting/
correcting
2 (Display BOM/routing)
3 (Change BOM/routing)
BF_REPPT 1 (Post previous RPs subse Reporting points (subsequent
quently) posting)
2 (Reset RP quantities)
BF_SCRAP X (Yes) Authorization for the scrap
backflush
BF_TYPE B (Assembly backflush) Backflush types
K (Component backflush)
L (Activity backflush)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 273Authorization Object Field Value Description
LGORT Storage location
WERKS Plant
C_AFFW_TWK AUTYP 10 (PP Production order) Order category
40 (Process order)
WERKS Plant
M_MSEG_BWA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BWART 101, 102, 261, 262, 531, 532, Movement Type (Inventory
543, 544, 545, 546 Management)
M_MSEG_BWF ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BWART 101, 102, 261, 262, 531, 532, Movement Type (Inventory
543, 544, 545, 546 Management)
M_MSEG_LGO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
LGORT Storage Location
BWART 101, 102, 261, 262, 531, 532, Movement Type (Inventory
543, 544, 545, 546 Management)
M_MSEG_WWA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
M_MSEG_WWF ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
Security Guide for SAP S/4HANA 1709
274 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
WERKS Plant
C_BCKFLUSH ACTVT 24 (Archive) Activity
31 (Confirm)
A8 (Process mass data)
WERKS Plant
13.4.3.3 Authorizations for Subcontracting and External
Procurement
Subcontracting and External Procurement uses the authorization concept provided by the SAP NetWeaver for
Application Server ABAP. Therefore, the recommendations and guidelines for authorizations as described in the
SAP NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 147:
Role Description
SAP_BR_PRODN_PLNR Production Planner
SAP_BR_MATL_PLNR_EXT_PROC Material Planner - External Procurement
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 275Table 148:
Authorization Object Field Value Description
M_MTDI_ORG DISPO MRP Controller (Materialls
Planner)
MDAKT A (MRP: Current Stock/ Activity Types in Materials
Requirements List) Planning
R (MRP: current material
overview)
B (MRP: total planning)
E (MRP: single-item planning)
WERKS Plant
M_PLAF_ORG DISPO MRP Controller (Materialls
Planner)
MDAKT A (MRP: current stock/ Activity Types in Materials
requirements list) Planning
F (MRP: Firm Planned Order)
H (MRP: Create Planned Or
der)
S (MRP: MRP list, coll. dis
play/planned order coll. con
version)
U (MRP: planned order, indi
vidual conversion)
V (MRP: change planned or
der)
WERKS Plant
M_BANF_BSA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
BSART Purchasing Document Type
M_BANF_EKG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKGRP Purchasing Group
Security Guide for SAP S/4HANA 1709
276 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
M_BANF_EKO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKORG Purchasing Organization
M_BANF_LGO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
LGORT Storage Location
M_BANF_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
M_BEST_BSA ACTVT 03 (Display) Activity
BSART Purchasing Document Type
M_BEST_EKG ACTVT 03 (Display)
EKGRP Purchasing Group
M_BEST_EKO ACTVT 03 (Display) Activity
EKORG Purchasing Organization
M_BEST_LGO ACTVT 03 (Display) Activity
WERKS Plant
LGORT Storage Location
M_BEST_WRK ACTVT 03 (Display) Activity
WERKS Plant
M_LPET_BSA ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 277Authorization Object Field Value Description
BSART Purchasing Document Type
M_LPET_EKG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKGRP Purchasing Group
M_LPET_EKO ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
EKORG Purchasing Organization
M_LPET_WRK ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
WERKS Plant
C_AFKO_ATY ACTVT 01 (Create or generate) Activity
AUTYP 10 (Production order) Order Category
40 (Process order)
C_AFKO_AWA ACTVT 01 (Create or generate) Activity
AUTYP 10 (Production order) Order Category
40 (Process order)
AUFART Order Type
WERKS Plant
C_AFKO_AWK WERKS Plant
AUFART Order Type
V_VBAK_AAT AUART Sales Document Type
ACTVT 03 (Display) Activity
Security Guide for SAP S/4HANA 1709
278 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
M_FCDM_ORG ACTVT 01 (Create or generate) Activity
02 (Change)
03 (Display)
43 (Release)
WERKS Plant
DISPO MRP Controller (Material
Planner)
M_MTDI_ORG MDAKT P (MRP: create planning file Activity types in materials
entry) planning
WERKS Plant
DISPO MRP Controller (Material
Planner)
C_PPBD AKTTYP A (Display) Activity category in transac
tion (Cr/Ch/D)
H (Add)
V (Change)
WERKS Plant
S_PROGRAM P_GROUP PPH_MRP ABAP Program Authorization
Group
P_ACTION BTCSUBMIT (Schedule pro User Action in ABAP Program
grams for background proc
essing)
SUBMIT (Execute ABAP pro
gram)
VARIANT (Edit variants and
execute ABAP program)
S_BTCH_JOB JOBACTION DELE (Delete Background Job operations
Jobs)
RELE (Release Jobs (Re
leased Automatically When
Scheduled))
SHOW(Display Job Queue)
JOBGROUP Summary of jobs for a group
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 27913.4.3.4 Authorizations for Kanban
Kanban uses the authorization concept provided by the SAP NetWeaver for Application Server ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
SAP delivers the following standard role covering the most frequent business transactions. You can use this role
as a template for your own roles.
Table 149:
Role Description
SAP_BR_PRODN_OPTR_DISC Production Operator - Discrete Manufacturing
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 150:
Authorization Object Description
C_TCAL_BKA Authorization for Class Types
C_NAV_PROF Navigation Profile
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_LGO Goods Movements: Storage Location
M_MSEG_WWA Goods Movements: Plant
M_MSEG_WWF Goods Receipt for Production Order: Plant
Security Guide for SAP S/4HANA 1709
280 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
C_AFFW_TWK CIM: Reworking error records from autom. goods movements
C_AFKO_ATY CIM: Order category
C_AFKO_AWA CIM: Authorization for Prod.Order/Order Type/Plant/Activity
C_AFKO_AWK CIM: Plant for order type of order
C_CFRU_AAWK CIM: Confirmation
C_FVER_WRK PP-PI: Production Version - Plant
C_KAPA_ABG CIM: Capacity leveling
13.4.3.5 Authorizations for Just-in-Time-Processing
Just-in-Time Processing (JIT) uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 151:
Authorization Object Description
C_AUTO_JIT ISAUTO_JIT: Sequenced JIT Calls (seqJC)
C_JIT_CALL PP-FLW JIT Calls
C_JIT_OUT IS-A-JIT: JIT Outbound Calls
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 28113.4.3.6 Deletion of Personal Data (Just-in-Time-Processing)
Use
Just-in-Time-Processing (IS-A-JIT) might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Relevant Application Objects and Available Deletion Functionality
Table 152:
Application Provided Deletion Functionality
Just-in-Time-Processing (IS-A-JIT) Archiving Object
JIT_SJCAL
JITO_CALL
ILM Object
JIT_SJCALL
JITO_CALL
Report
DELETE_JIT_VENDOR_CUSTOMER
Relevant Application Objects and Available EoP/WUC functionality
Table 153:
Application Implemented Solution (EoP or WUC) Further Information
Just-in-Time-Processing (IS-A-JIT) WUC Checks tables JITCU
Security Guide for SAP S/4HANA 1709
282 P U B L I C SAP S/4HANA Business ApplicationsConfiguration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
13.4.3.7 Authorizations for Production Backflush
Production Backflush uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 154:
Authorization Object Description
C_BCKFLUSH Automotive: Production backflush
C_APO_PPC APO Authorization Object: Production Backflush
13.4.3.8 Deletion of Personal Data (Production Backflush)
Use
Production Backflush might process data (personal data) that is subject to the data protection laws applicable in
specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion
of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at
http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 283Relevant Application Objects and Available Deletion Functionality
Table 155:
Application Provided Deletion Functionality
Production Backflush (IS-A-PPC) Archiving Object
PP_CONF
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
13.4.4 Quality Management
13.4.4.1 Authorizations in Quality Management
Quality management uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore, the
recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Security Guide for SAP S/4HANA 1709
284 P U B L I C SAP S/4HANA Business ApplicationsTable 156:
Role Description
SAP_BR_QUALITY_PLANNER Quality Planner
Sets up master data (specification, inspection planning,
FMEA) and advanced quality planning.
SAP_BR_QUALITY_TECHNICIAN Quality Technician
Prepares and executes quality inspections of products and
materials and manages inconsistencies.
SAP_BR_CALIBRATION_TECHNICIAN Calibration Technician
Performs quality inspections for test equipment.
SAP_BR_QUALITY_MANAGER Quality Manager
Leads process-improvement initiatives. Facilitates and leads
team efforts to establish and monitor customer/supplier rela
tions, supports strategic initiatives, and helps develop meas
urement systems to determine organizational improvements.
SAP_BR_QUALITY_ENGINEER Quality Engineer
Supports the quality manager in making sure that the com
pany’s quality and safety compliance goals are met. Makes
usage decisions. Performs statistical analyses of test results.
Coordinates activities within QM.
SAP_BR_QUALITY_ENGINEER_EPO Quality Engineer (EPO)
Analyzes product genealogy and action logs to identify the
root cause of a product issue.
SAP_BR_QUALITY_AUDITOR Quality Auditor
Plans and performs audits.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 157:
Authorization Object Fields Description Comment
AUDIT_AUTH Authorization Group Authorizations in Audit Proc
essing
Activities for Authorizations
Audit Type
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 285Authorization Object Fields Description Comment
Q_TCODE Transaction Code QM Transaction Authorization You use this authorization ob
ject in combination with other
QM authorization objects that
do not have a field for activi
ties assigned. By assigning a
concrete transaction code,
you can distinguish, for exam
ple, between displaying or
changing an object.
Q_CAT_GRP Code Group Catalog Maintenance of Code
Groups and Codes
Catalog
Code Group Status
Q_CAT_SSET Selected Set Catalog Maintenance of Se
lected Sets
Plant
Catalog
Status of Selected Set
Q_CGRP_ACT Activity Catalog of Code Groups and As of 1709
Codes (Including Activity)
Catalog
Code Group
Code Group Status
Q_CSSER_AC Activity Catalog of Selected Sets (In As of 1709
cluding Activity)
Plant
Catalog
Selected Set
Status of Selected Set
Q_GP_CODE Code Group Use of Code Groups
Catalog
Security Guide for SAP S/4HANA 1709
286 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Fields Description Comment
Q_UD_CODE Plant Using Usage Decision Codes
Inspection Lot, Partial Lot,
Single Unit, Interval
Selected Set of the Usage De
cision
Code Group of the Usage De
cision
Usage Decision Code
Q_OC_CODE Plant Use of Usage Decision Codes
for Completion at Operation
Work Center
Level
Selected Set of the Usage De
cision
Code Group of the Usage De
cision
Usage Decision Code
Inspection Lot, Partial Lot,
Single Unit, Interval
Q_INSPMETH Activity for Inspection Method Inspection Method As of 1709
Plant
Authorization Group QM Ba
sic Data
Inspection Method Status
Q_MINSPCHR Activity for Master Inspection Master Inspection Charateris As of 1709
Characteristic tic
Plant
Authorization Group QM Ba
sic Data
Master Inspection Character
istic Status
Q_QIRECPRC Activity Quality Info Record for Pro As of 1709
curement
Plant
Material Authorization Group
for Activities in QM
Q_SMPLPROC Activity Sampling Procedure As of 1709
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 287Authorization Object Fields Description Comment
Q_SMPLSCHM Activity Sampling Scheme As of 1709
Q_DYNMODRL Activity Dynamic Modification Rule As of 1709
Q_MASTERD Authorization Group QM Ba Authorization for Master Data
sic Data
Activity for QM Master Data
Authorizations
Q_STA_QMTB Inspection Method Status Maintain Inspection Methods
Depending on Status
Q_STA_QPMK Master Inspection Character Maintain Master Inspection
istic Status Characteristics Depending on
Status
Q_MATERIAL Material Authorization Group Material Authorization
for Activities in QM
Activity for QM Material Au
thorization
Plant
Q_ROUT Activity Maintain Inspection Plan
Task List Type
Plant
Task List Usage
Status
Q_PLN_FEAT Task List Type Maintaining Task List Charac
teristics for a Task List Type
Q_CP Activity Control Plan Maintenance
Plant
Q_FMEA Authorization Group Authorizations Within FMEA
Processing
Activities for Authorizations
FMEA Type
Security Guide for SAP S/4HANA 1709
288 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Fields Description Comment
Q_INSPLOT Activity for Inspection Lot Inspection Lot As of 1709
Plant
Inspection Type
Material Authorization Group
for Activities in QM
Q_INSPPNT Activity Inspection Point As of 1709
Plant
Name of the Reference Work
Center
Inspection Type
Inspection Point Type
Material Authorization Group
for Activities in QM
Q_INSPRSLT Activity for Inspection Results Inspection Result As of 1709
Plant
Name of the reference work
center
Inspection Type
Material Authorization Group
for Activities in QM
Q_INSPTYPE Plant Inspection Type for the In
spection Lot
Inspection Type
Q_CHAR_PRC Plant Recording Authorization for
Inspection Results in an Oper
Work Center
ation
Initial Status of Inspection
Characteristic (Sample)
Final Status of the Inspection
Characteristic (Sample)
Q_INSP_FIN Plant Inspection Completion with
Open Characteristics for In
Inspection Type
spection Points Usually Re
quiring Confirmation
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 289Authorization Object Fields Description Comment
Q_STCK_CHG Plant Change Stock Posting Fields
in Usage Decision Transac
Stock Type
tions
Authorizations for Stock
Postings
Q_RSLTHSTY Activity for Results History Results History As of 1709
Plant
Q_SPC Plant Change to Control Charts
SPC Criterion
Q_CERT_PRF Certificate Type Maintenance of Certificate
Profiles
Transaction Code
Q_DEFECT Activity Independent Defect As of 1709
Plant
Q_QLEVEL Activity Quality Level As of 1709
Plant
Material Authorization Group
for Activities in QM
Q_QMEL Notification Type Quality Notification Types
Transaction Code
Plant
Q_VORG_MEL Business Transaction Business Process Quality No
tifications
Notification Type
B_NOTIF_EX Notification Type Extended Change of Notifica
tion Type
Activity category in transac
tion (Create/Change/Delete)
Some authorization objects were newly created in 1709, because some existing authorization objects did not
contain any activities. Authorization was checked using the authorization object Q_TCODE (transaction code)
instead, which also needed to be maintained. Since transaction codes are no longer relevant for Fiori apps, the old
authorization objects are gradually being replaced by new authorization objects with activities.
The new authorization objects will replace the old authorization objects in the medium term. The old authorization
objects will be deleted in the future. Until then, they remain valid. That means the new authorization objects are
checked in addition to the old authorization objects.
The following table shows which new authorization object replaces which old authorization objects.
Security Guide for SAP S/4HANA 1709
290 P U B L I C SAP S/4HANA Business ApplicationsTable 158:
New Authorization Object Replaces Following Old Authorization Comment
Objects
Q_CGRP_ACT Q_CAT_GRP und Q_TCODE Authorization for editing code groups
and codes
Q_CSSET_ACT Q_CAT_SSET und Q_TCODE Authorization for editing selection sets
Q_MINSPCHR Q_MASTERD, Q_STA_QPMK und Q_TCODE Authorization for editing master inspec
tion characteristics
Q_INSPMETH Q_MASTERD, Q_STA_QPTB und Q_TCODE Authorization for editing inspection
methods
Q_SMPLPROC Q_TCODE Authorization for editing sampling pro
cedures
Q_DYNMODRL Q_TCODE Authorization for editing dynamic modi
fication rules
Q_QIRECPRC Q_MATERIAL und Q_TCODE Authorization for editing quality info re
cords for procurement
Q_SMPLSCHM Q_TCODE Authorization for editing sampling
schemes
Q_INSPLOT Q_INSPTYPE, Q_MATERIAL und Authorization for editing inspection lots
Q_TCODE
Q_INSPRSLT Q_INSPTYPE, Q_MATERIAL und Authorization for recording inspection
Q_TCODE results
Q_QLEVEL Q_MATERIAL und Q_TCODE Authorization for editing quality levels
Q_INSPPNT Q_TCODE Authorization for editing inspection
points
Critical Combinations
We strongly recommend that you do not grant authorization for results recording and usage decision for the same
inspection lot to one single user.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 29113.4.4.2 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For quality
management the following services are needed for the respective Web Dynpro applications:
● QI_INSPECTIONLOT_DETAIL_APP
● QI_RECORD_RESULTS_APPL
● QI_RECORD_RESULTS_ETI_APPL
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.4.4.3 Communication Channel Security
The table below shows the communication channels used, the protocol used for the connection, and the type of
data transferred.
Table 159:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Communication with Supplier SOAP Quality notification data
Network Collaboration
Communication with the SOAP, RFC Inspection lot data
Quality Inspection Engine
(QIE) of the Extended
Warehouse Management
(EWM)
Communication exchange of IDoc Quality certificates Digital signature
quality certificates with exter
nal partner
Quality master data replica IDoc Master inspection character
tion istics
Master inspection methods
Codes
Inspection plan
Communication with external RFC, SOAP Inspection lot data
subsystem for inspection
Inspection results
Security Guide for SAP S/4HANA 1709
292 P U B L I C SAP S/4HANA Business ApplicationsCommunication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Communication with external RFC Inspection lot data
subsystem for statistical
Inspection results
process control (SPC)
Communication with SAP RFC, IDoc Inspection lot data
Manufacturing Execution
Inspection results
(ME)
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services
security.
Note
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security
Guide.
13.4.4.4 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-by-
case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken
from any given legal source.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 293Table 160: Glossary
Term Definition
Personal Data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the
processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the pur
pose starts.
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:
● Access control: Authentication features as described in section User Administration and Authentication.
● Authorizations: Authorization concept as described in section Authorizations.
● Read access logging: as described in section Read Access Logging.
● Communication Security: as described in section Network and Communication Security.
● Availability control as described in:
○ Section Data Storage Security
○ SAP NetWeaver Database Administration documentation
○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-
Oriented View Solution Life Cycle Management SAP Business Continuity .
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept
Note
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system are
the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-
Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required. For
information about the application-specific configuration, see the application-specific Customizing in SPRO.
Security Guide for SAP S/4HANA 1709
294 P U B L I C SAP S/4HANA Business Applications13.4.4.4.1 Deletion of Personal Data
The ERP Quality Management application might process data (personal data) that is subject to the data
protection laws applicable in specific countries as described in SAP Note 1825544.
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. The Quality Management application uses SAP ILM to support
the deletion of personal data as described in the following sections.
SAP delivers an end of purpose check for the Quality Management application.
End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases.
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked.
Blocking of data prevents the business users of SAP applications from displaying and using data that may
include personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data.
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check,
see the Process Flow.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 295Table 161: Relevant Application Objects and Available Deletion Functionality
Application Object Detailed Description Provided Deletion Functionality
Inspection Lot The EOP check considers partners (cus Archiving object QM_CONTROL
tomers or vendors):
● that are stored directly in the in
spection lot (table QALS)
● that are available in the worklist of
the transfer table for subsystems
(QIWL)
● that are used in control charts
(QASH)
● that are assigned to a multiple spec
ification (QAOBJMS)
Each inspection lot is checked if the a
customer or supplier is still relevant. If a
customer or vendor is used in several
objects, he is relevant as long as only
one object is not completed. An object is
completed if
● an inspection lot is canceled
● an inspection lot has status All
inspections completed, an usage de
cision was made and stock postings
are completed if the inspection lot is
stock-relevant.
● Control charts are closed.
The following data is relevant for calcu
lating the retention rules and residence
rules (taking the latest date):
● Date of usage decision
● Last change date of the usage deci
sion
● Last change date of the control
chart (if applicable)
You can start report
QM_CVP_EOP_SORT_ARC_CONTROL
to select all data that has already been
archived (backround job due to perform
ance).
Security Guide for SAP S/4HANA 1709
296 P U B L I C SAP S/4HANA Business ApplicationsApplication Object Detailed Description Provided Deletion Functionality
Sample Records Partners are assigned to the drawing of Archiving object QM_SAMPLE
physical samples.
Physical samples are only considered if
there are not part of an order, an inspec
tion lot or a notification since these
physical sample are considered as se
perate business operations and are
checked during the EoP check for the
corresponding object (e.g. notification).
Only ''independent'' physical samples are
checked.
The assigned partners are no longer rel
evant, if a the physical sample is marked
for deletion or marked as no longer exis
tent. Then the latest change date is
taken as basis for the calculation of the
retention and residence rules.
You can start report
QM_CVP_EOP_SORT_ARC_SAMPLE to
select all data that has already been ar
chived (backround job due to perform
ance).
Quality Certificate Only suppliers are relevant. Suppliers Archiving object QM_CERT
are entered directly in the certificate.
A certificate is completed if it has one of
the following statuses:
● Certificate filed and inspected
● Certificate receipt canceled
● Certifcate defective
If you want to send or receive the quality
data of a certificate using EDI, and the in
spection characteristics to be sent have
different descriptions in the vendor and
the customer system you can set up a
partner-specific identification and as
signment of the respective characteris
tics (characteristic mapping). The com
munication partners are defined by Part
ner Type and Partner Number.
For the deletion of the partner-specific
settings and characteristic mappings
you have to run deletion report
RDEL_PARTNER_CHAR.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 297Application Object Detailed Description Provided Deletion Functionality
Failure Mode and Effects Analysis Only business partners on header level Archiving object QM_FMEA
are checked. Business partners entered
for actions are not checked.
It is checked that the FMEA has status
Completed, To Be Archived, or Archived.
You can start report
PLM_FMEA_EOP_AUD_ARC_EXTRACT
to select all data that has already been
archived.
Audit Plans/Audits It is checked that the Audit has status Archiving object PLM_AUD
Completed, To Be Archived, or Archived.
Only audits are taken into account in the
check, but not audit plans or question
lists.
You can start report PLM_AU
DIT_EOP_AUD_ARC_EXTRACT to select
all data that has already been archived.
Table 162: Relevant Application Areas and Available EoP Functionality
Application Implemented Solution Further Information
Quality Management EoP check This includes the business in areas of:
● Quality Planning (QM-PT)
● Quality Inspection (QM-IM)
● Audit Management (CA-AUD)
Process
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
3. You do the following:
1. Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA).
2. Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner
3. Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV; for ILM objects in QM
see archiving objects above)
4. Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master in SAP ERP
4. Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
Security Guide for SAP S/4HANA 1709
298 P U B L I C SAP S/4HANA Business Applications5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and
CVP_UNBLOCK_MD.
6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of Quality Management.
13.4.5 Maintenance Operations
13.4.5.1 Authorizations in Plant Maintenance
Plant Maintenance uses the authorization concept provided by the SAP SAP NetWeaver for Application Server
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
SAP delivers the following standard roles covering the most frequent business transactions. You can use these
roles as a template for your own roles.
Table 163: Roles for Plant Maintenance
Role Description
SAP_BR_MAINTENANCE_TECHNICIAN Maintenance Technician
This role contains all the functions that a maintenance techni
cian requires to carry out their work effectively and safely.
SAP_BR_MAINTENANCE_PLANNER Maintenance Planner
The purpose of this role is to provide the maintenance planner
with a broad range of functions necessary for planning and ex
ecuting maintenance activities.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 29913.5 R&D / Engineering
13.5.1 Product Safety and Stewardship
13.5.1.1 Product Development for Discrete Industries
13.5.1.1.1 Authorizations
Product Development for Discrete Industries uses the authorization concept provided by the SAP NetWeaver AS
for ABAP Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver
AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 164:
Authorization Object Description
C_PPE_PS Integrated Product and Process Engineering (iPPE): PS – iPPE
Interface (Component Assignment)
C_PPE_PSI Integrated Product and Process Engineering (iPPE): PS – iPPE
Interface (Interface)
Security Guide for SAP S/4HANA 1709
300 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
I_CCM_ACT Configuration Control: Allows forced installation/removal
I_CCM_EBOM Configuration Control: Allows the change of Equipment BOMs
I_CCM_STRC Configuration Control: Allows the maintenance of structure
gaps
I_IE4N Configuration Control: Controls the usage of the various IE4N
modes
13.5.1.2 Authorizations in Recycling Administration
Recycling Administration uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
The table below shows the standard roles that are used by Recycling Administration.
Table 165:
Role Description
SAP_EP_ISREA_CM Automatic Role to display ABAP applications for contract han
dling
SAP_EP_ISREA_DEC Automatic Role to display ABAP applications for declarations
SAP_EP_ISREA_INFO Automatic Role to display ABAP applications for the informa
tion system
SAP_EP_ISREA_MD Automatic Role to display ABAP applications for master data
management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 301Role Description
SAP_ISREA_COMPLIANCE_MANAGER Compliance Manager for Recycling
SAP_ISREA_HEAD_SUSTAINABILITY Head of Sustainability and Environment
SAP_ISREA_MASTERDATA_EXPERT Specialist for Recycling Master Data
SAP_ISREA_PACKAGING_ENGINEER Packaging Engineer
SAP_ISREA_SPECIALIST Specialist for Recycling Accounting
com.sap.pct.erp.rea.financial_accountant SAP Enterprise Portal role Financial Accountant
com.sap.pct.erp.rea.person_responsible_masterda SAP Enterprise Portal role Person Responsible Master Data
ta
com.sap.pct.erp.rea.superadmin_masterdata SAP Enterprise Portal role Superadministrator Master Data
com.sap.pct.erp.rea.compliance_manager SAP Enterprise Portal role Compliance Manager
SAP_SR_REA_COMP_MAN_5 Role in SAP Business Client that corresponds to the SAP
Enterprise Portal role Compliance Manager
SAP_SR_REA_FIN_ACCOUNTANT_5 Role in SAP Business Client that corresponds to the SAP
Enterprise Portal role Financial Accountant
SAP_SR_REA_PERS_RESP_MD_5 Role in SAP Business Client that corresponds to the SAP
Enterprise Portal role Person Responsible Master Data
SAP_SR_REA_SUPER_ADMIN_MD_5 Role in SAP Business Client that corresponds to the SAP
Enterprise Portal role Superadministrator Master Data
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by Recycling Administration.
Table 166:
Authorization Object Name Description
/J7L/LDE REA Lean Data Entry Controls the authorizations for the appli
cations for lean data entry
J_7L_CONF REA: Authorization for Configuration Controls the authorizations for the im
port and export of recycling partner
master data
Security Guide for SAP S/4HANA 1709
302 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Name Description
J_7L_VARIA REA: Authorization for Variants Controls the access to master data ob
jects in the Recycling Administration
component depending on the respective
variant
J_7L_CUST REA: Customizing Controls the authorizations for Custom
izing in the Recycling Administration
component
J_7L_INFO REA: Information System Controls the authorizations for the appli
cations in the information system of the
Recycling Administration component
J_7L_PERIO REA: Declarations to Recycling Partners Controls the authorizations for declara
tions
J_7L_INFC REA: Interfaces and Batch Programs Controls the authorizations for pro
grams for mass processing (background
processing)
J_7L_STAMM REA: Master Data Controls the authorizations for editing
master data in the Recycling Administra
tion component
13.5.1.3 Product Compliance for Discrete Industries
13.5.1.3.1 User Administration and Authentication
Product Compliance for Discrete Industries uses the authorization concept provided by SAP NetWeaver.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security
Guide also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG).
For more generic information see User Administration and Authentication [page 13] in the Introduction section
13.5.1.3.1.1 User Management
The table below shows the standard users that are necessary for operating Product Compliance for Discrete
Industries. For more generic information, see User Management [page 13] in the Introduction section.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 303Table 167:
User ID Type Password Description
Business processing user Dialog user To be entered Business user of Product
Compliance
E-mail inbound processing Communication user Not needed User to process the incoming
user e-mails of Product
Compliance
Workflow engine batch user Background user Not needed User for the background
processing of workflows in
Product Compliance
You need to create users after the installation. Users are not automatically created during installation. In
consequence, there is no requirement to change user IDs and passwords after the installation.
Note
Several business processes within Product Compliance for Discrete Industries use SAP Business Workflow and
e-mail inbound and outbound processing. It is not recommended that you grant the corresponding system
users (such as WF_BATCH for Workflow System or SAPCONNECT for e-mail inbound processing) all
authorizations of the system (SAP_ALL).
13.5.1.3.1.2 Standard Roles
In Product Compliance for Discrete Industries,you use specific roles in the application to access content. These
roles are designed to support your business processes.
The following roles are delivered:
● Roles for Foundation Processes [page 47]
● Roles for Managing Product Compliance for Discrete Industries [page 305]
Unless shown in the tables below, the roles are delivered without authorization profiles. The authorization profiles
are generated from these roles.
Note
The Product Compliance for Discrete Industries roles that are delivered contain specific configuration such as
object-based navigation (OBN). In consequence, customizing these roles has a certain level of complexity.
Custom roles can be created as follows without losing their specific configuration:
1. Create your custom PFCG role.
2. Copy the menu structure from the SAP_EHSM_MASTER role or the others that are delivered.
3. Generate the authorization profile.
4. Assign the custom role to end users.
Security Guide for SAP S/4HANA 1709
304 P U B L I C SAP S/4HANA Business Applications13.5.1.3.1.2.1 Roles for Foundation Processes
Table 168:
Role Description
SAP_EHSM_MASTER Master PFCG role for Product Compliance for Discrete Indus
tries. This role is intended for use as a copy template for the
menu structures of the end user roles that are currently as
signed.
SAP_EHSM_PROCESS_ADMIN End user role for the person who is technically responsible for
the workflow-based processes of EHS Management. This role
assigns the menu structure in NWBC to the end user and the
necessary authorizations in the S/4HANA system.
This role can receive workflow items.
SAP_EHSM_FND_WF_PERMISSION System user role for the Workflow Engine. This role contains
the additional authorization profiles needed to process the
workflows in the background.
The users who process the workflows in the background
should, in addition to the SAP_EHSM_FND_WF_PERMISSION
role, be assigned the SAP_BC_BMT_WFM_SERV_USER role.
For processing workflows for product compliance for discrete
industries, users should also have the same authorization as
the following roles:
SAP_EHSM_PRC_BASMAT_SPEC
SAP_EHSM_PRC_COMPL_ENG
SAP_EHSM_PRC_COMPONENT_ENG
13.5.1.3.1.2.2 Roles for Managing Product Compliance for
Discrete Industries
Table 169:
Role Description
SAP_EHSM_ADMINISTRATOR Administrator role for the person who monitors changes in
master data for product compliance, compliance objects, and
the application log. This person also corrects data issues, en
ters data for customers and suppliers, and manually imports
incoming documents either from the front-end system or
from an application server.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 305SAP_EHSM_PRC_COMPL_CONSUMER End user role for the compliance consumer. This role can be
adapted for use as four different sub-roles: purchasing agent,
sales and services representative, mechanical engineer, and
electrical engineer. This user role is responsible for maintain
ing awareness of regulations and compliance requirements
and, depending on the purpose, can be responsible for main
taining product knowledge and data, configuring customer or
ders, scheduling service requests, research, and evaluating
product data, or designing, testing and analysis of compo
nents.
SAP_EHSM_PRC_COMPL_MGR End user role for the compliance manager. This user role
monitors compliance-related programs for product lines, and
defines policies and procedures for other departments to en
sure compliance. The compliance manager approves the
manufacturing processes and equipment that will be used in
production, and supervises design compliance.
SAP_EHSM_PRC_COMPL_ENG End user role for the compliance engineer. This user role mon
itors daily operations that contribute to ensuring compliance.
The compliance engineer is responsible for the company com
pliance data set. He or she maintains compliance data in co
operation with the engineering teams, and cooperates with
the compliance manager for up-to-date information about
regulations. This role is involved in material-based and com
ponent-based engineering changes and new product reviews.
SAP_EHSM_PRC_COMPONENT_ENG End user role for the component engineer. This user role se
lects and works with electrical or other components to be in
corporated into future products, and handles management
and documentation of purchased components. The compo
nent engineer approves parts obtained externally, works
closely with vendors, and ensures compliance by following the
established procedures and policies.
SAP_EHSM_PRC_BASMAT_SPEC End user role for the basic material specialist. This user role is
responsible for the selection of appropriate materials and sur
faces for design parts, and approves their release for use. The
basic material specialist decides the specific application of
materials and surfaces, and maintains the material database.
SAP_EHSM_PRC_AUTO_CHANGE_PROC System user role for the automated change processing. This
role contains the authorization profiles needed to determine
compliance information that is affected by a relevant change
and executing the worklist of pending compliance information.
Security Guide for SAP S/4HANA 1709
306 P U B L I C SAP S/4HANA Business ApplicationsSAP_EHSM_PRC_REG_CHG_WLIST_PRO System user role necessary for background processing of
PRC Regulatory Change Worklist Generation (program
R_EHPRC_WL_REGCHG_GENERATE) and PRC Regulatory
Change Worklist Post Processing (program
R_EHPRC_WL_REGCHG_POST_PROC).
SAP_EHSM_PRC_SUPPL_CHNG_PROC This role contains as a suggestion all relevant authorization
data necessary for background processing of PRC Supplier
Change Processing.
Supplier Change Monitor
The program R_EHPRC_PBB_SUPPL_CHNG_MON is executed in
background processing in order to monitor changes in sup
plier to material assignment and to start the workflow Decide
and Prepare for Assessmentif necessary.
SAP_EHSM_PRC_EML_REC System user role for the e-mail recipient. This role contains
the authorization profiles needed to receive and process e-
mails.
SAP_BCV_USER System user role for the display of Business Context Viewer
(BCV). This role contains the authorization profiles and menus
needed to display a BCV side panel and the BCV configura
tion.
SAP_BCV_ADMIN System user role for the administration of Business Context
Viewer (BCV). This role contains the authorization profiles
and menus needed to administrate the BCV configuration.
13.5.1.3.1.3 Standard Authorization Objects
The following security-relevant authorization objects are used in Product Compliance for Discrete Industries:
● Authorization Objects for Foundation Processes [page 51]
● Authorization Objects for Managing Product Compliance [page 308]
● Authorization Objects for Integration [page 62]
13.5.1.3.1.3.1 Authorization Objects for Foundation Processes
Table 170:
Authorization Object Field Value Description
EHFND_CHDC (Change ACTVT 03 (Display) Activity
Document)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 307Authorization Object Field Value Description
BO_NAME EHPRC_COMPLIANCE_DATA Business Object Name
(Compliance Data)
EHFND_WFT (Workflow ACTVT 16 (Execute) Activity
Tools)
TCD All transactions of workflow Transaction Code
tools
EHFND_WFF (Workflow and EHSM_COMP Product Compliance (PRC) Component of Product Safety
Processes) and Stewardship
PURPOSE Process Purpose (see Cus Process Purpose
tomizing activity Specify
Process Definitions)
EHSM_PVAR Process Variant (see Custom Name of Process Variant
izing activity Specify Process
Definitions)
EHSM_PCACT CANCELPROC (Cancel Proc Activity of Task or Process
ess)
EHFND_EXPP (Export Profile) ACTVT 01 (Create, Generate) Activity
EHFND_EXPP Configured Export Profile
EHFND_REGL (Regulatory ACTVT 01 (Create or generate) Activity
List Content)
02 (Change)
03 (Display)
06 (Delete)
13.5.1.3.1.3.2 Authorization Objects for Managing Product
Compliance
Table 171:
Authorization Object Field Value Description
EHPRC_CMWL (Compliance ACTVT 01 (Create or generate) Activity
Management Worklist
02 (Change)
(CMWL))
03 (Display)
06 (Delete)
Security Guide for SAP S/4HANA 1709
308 P U B L I C SAP S/4HANA Business ApplicationsWL_CAT REG_CHG (Follow-Up Regula Worklist Category
tory Change)
EHPRC_CPM (RCS: Cam ACTVT 01 (Create or generate) Activity
paign Usage)
02 (Change)
03 (Display)
EHPRC_OLM1 (RCS: Object ACTVT 01 (Create or generate) Activity
List Usage)
02 (Change)
03 (Display)
EHPRC_OLGR See the Customizing activity Object List Group
Specify Object List Groups un
der Product Safety and
Stewardship Product
Compliance for Discrete
Industries General
Configuration
EHPRC_CDO: RCS: Authori ACTVT 01 Create or generate Activity
zation Object for Compliance
02 Change
Object
03 Display
06 Delete
REQ Compliance Requirement
(Check)
REV_STATUS Compliance Data Revision
Status
CDCATEGORY Compliance Data Category
S_PB_CHIP ACTVT 03 (Display) Activity
(ABAP Page Builder: CHIP) 16 (Execute) Needed for displaying infor
mation on the side panel
CHIP_NAME X-SAP-WDY-CHIP:/BCV/ Web Dynpro ABAP: CHIP ID
CHIP*
X-SAP-WDY-
CHIP:EHPRC_CW_BCV_CHIP
1
EHPRCWDCHIP_SPBN
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 309S_PB_PAGE ACTVT 03 (Display) Activity
(ABAP Page Builder: Page Needed for displaying infor
Configuration) mation on the side panel
CONFIG_ID /BCV/SIDEPANEL Configuration Identification
PERS_SCOPE 1 (User)) Web Dynpro: Personalization
BCV_SPANEL (Execute Side ACTVT 16 (Execute) Activity
Panel)
Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_USAGE (Business Con ACTVT US (Use) Activity
text Viewer usage)
Needed for displaying infor
mation on the side panel
BCV_QRYVW (Query View) ACTVT 03 (Display) Activity
Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRYVID ID of Query View
BCV_QUERY ACTVT 03 (Display) Activity
(Query) Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRY_ID Query ID
BCV_QUILST (Overview) ACTVT 03 (Display) Activity
Needed for displaying infor
mation on the side panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QUIKID ID of Overview
13.5.1.3.2 Network and Communication Security
Your network infrastructure is important for protecting your system. Therefore, your network must support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system level and
Security Guide for SAP S/4HANA 1709
310 P U B L I C SAP S/4HANA Business Applicationsapplication level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit known bugs and security holes in network services on the
server machines.
The network topology for Product Safety and Stewardship is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply here. Details that specifically apply to Product Safety and Stewardship are described in the
following sections:
● Communication Channel Security [page 317]
This topic describes the communication paths and protocols.
● Network Security [page 318]
This topic describes the recommended network topology. It shows the appropriate network segments for the
various client and server components and where to use firewalls for access protection. It also includes a list of
the ports required.
● Communication Destinations [page 319]
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
13.5.1.3.2.1 Communication Destinations
The table below shows an overview of the communication destinations used by Product Compliance for Discrete
Industries. For more generic information, see in corresponding chapter in the Introduction section.
Table 172:
Destination Delivered Type Description
No RFC Connection to plant maintenance system
No RFC Connection to business partner system
No RFC Connection to accounting system
No RFC Connection to SAP Product Safety and Stewardship as
part of SAP ERP system
Note
The user in the remote AC system needs to have all authorizations as proposed by the respective EHS user
roles.
For SAP EHS Management as part of SAP ERP, Product Compliance for Discrete Industries does not provide
any authorizations.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 311For detailed information about communication destinations, see Customizing for Environment, Health, and Safety
under Foundation for EHS Integration Specify Destinations for Integration .
13.5.1.3.3 ICF Security in Product Safety and Stewardship
To use an app in Product Safety and Stewardship, you have to activate the internet communication framework
(ICF) service that is needed for this app.
For general information, see ICF Security [page 19] in the Introduction section.
Product Compliance for Discrete Industries
To use Product Compliance for Discrete Industries apps, proceed as follows:
● In your back-end system, open transaction SICF. Under /default_host/sap/bc/webdynpro/sap/,
activate the following Web Dynpro services:
○ that start with EHFND
○ that start with EHPRC
○ POWL
○ IBO_WDA_INBOX
○ WDR_CHIP_PAGE
13.5.1.3.4 Data Storage Security
Using Logical Path and File Names to Protect Access
In Product Compliance for Discrete Industries, several applications save data in files in the file system. The
International Material Data System (IMDS) uses the file system to store downloaded files temporarily, before they
are imported. Additionally, it is possible for users to upload files to the application server manually prior to further
processing. Therefore, it is important to explicitly provide access to the corresponding files in the file system
without allowing access to other directories or files (also known as directory traversal). This is achieved by
specifying logical paths and file names in the system that map to the physical paths and file names. This mapping
is validated at runtime, and, if access is requested to a directory that does not match a stored mapping, an error
occurs.
Security Guide for SAP S/4HANA 1709
312 P U B L I C SAP S/4HANA Business ApplicationsThe following lists show the logical file names and paths used by Product Compliance for Discrete Industries and
for which programs these file names and paths apply:
Logical File Names Used
The following logical file names have been created in order to enable the validation of physical file names:
● EHPRC_IMPORT_DIR
● EHPRC_ERROR_DIR
● EHPRC_ARCHIVE_DIR
For more information, see the Customizing activity Set Up Directory Structure for IMDS.
Logical Path Names Used
The logical file names listed above all use the logical file path EHPRC_HOME_PATH.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
13.5.1.3.5 Virus Scanning
The interactive forms of Product Compliance for Discrete Industries can contain JavaScript. Therefore, JavaScript
must be enabled in Adobe Acrobat Reader. In addition, e-mails with PDF attachments that contain JavaScript
must not be filtered out in the e-mail inbound and outbound process.
For more generic information see Virus Scanning [page 21] in the Introduction section.
13.5.1.4 Product Safety and Stewardship for Process
Industries
This section contains information that is valid for:
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 313● Basic Data and Tools
● Product Safety
● Global Label Management
● Dangerous Goods Management
13.5.1.4.1 Technical System Landscape
Product Safety
Expert is a registering Remote Function Call (RFC) server that reads and writes specification data through RFC
from the SAP system.
Windows Wordprocessor Integration (WWI) is a registering RFC server that generates and prints reports.
Report shipping can be determined centrally in the product safety system, or product safety document data can
be distributed by ALE/IDOC to logistics systems. These logistics systems use their own WWI generation servers
(WWI servers) to print documents.
Dangerous Goods Management
If you use separate logistics systems, dangerous goods data can be transferred to logistics systems by ALE/
IDOC.
Global Label Management
The technical system landscape for Global Label Management consists of the following elements:
● WWI is a registering RFC server. It can contain its own database that is used as a document cache and data
cache.
● Option 1: Label printing is possible with a printer that is connected to a local PC. WWI servers are hosted on a
central WWI server farm. Printing is executed by the SAP spool system or a printer that is connected to a local
PC.
● Option 2: Label printing is executed through print requests. WWI servers are decentralized. Therefore, the
data of the print requests is sent directly to the printer, or the print requests are printed through the SAP
spool system.
● Option 3: Label printing is possible via an extraordinary, distributed approach for product safety. In this case,
plants host their own SAP systems. Document data is maintained centrally and distributed by ALE. Printing is
determined directly or through the SAP spool system.
Security Guide for SAP S/4HANA 1709
314 P U B L I C SAP S/4HANA Business Applications13.5.1.4.2 User Administration and Authentication
Product Safety and Stewardship for Process Industries uses the administration and authentication mechanisms
provided with the SAPNet Weaver platform.
For more generic information see User Administration and Authentication [page 13] in the Introduction section.
13.5.1.4.2.1 Authorizations
Product Safety and Stewardship for Process Industries uses the authorization concept that is provided by SAP
NetWeaver and Microsoft Windows. Therefore, the recommendations and guidelines for authorizations as
described in the SAP NetWeaver Security Guide and the Microsoft Windows Security Guide also apply.
The following objects for authorization objects are used:
● Profiles
● Authorization objects
Profiles
The table below lists the profiles used. You can display all profiles in the profile list (transaction SU02).
Table 173:
Profile Description
B_MASSMAIN Mass maintenance tool
C_A.AV Composite profile for person in charge of work scheduling
C_A.KONSTRUK Composite profile for person in charge of engineering/design
C_AENR_* List of profiles for change management
C_ALL PP: All authorizations for master data/classif. system
C_EHSG List of profiles for Global Label Management
C_EHSH_* Lists of profiles for Product Safety and Stewardship
C_FHMI_* List of profiles for production resources/tools
C_MSTL_* List of profiles for material BOMs
C_PS_* List of profiles for Project Systems
C_ROUT_* List of profiles for task lists
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 315C_SHE_* List of profile for list of profiles for Product Safety and Stew
ardship
E_CS_* List of profiles for EC-CS
I_PM_* List of profiles for Plant Maintenance
M_* List of profiles for Materials Management
Authorization Objects
Table 174:
Object Class Description
CLAS Classification
CV Document Management
EHS Product Safety and Stewardship
LO Logistics - General
Exclusively the authorization objects for the variant configura
tion (character string C_LOVC_*).
MM_G Materials Management – Master Data
MM_S Materials Management – External Services
PM Plant Maintenance
PP Production Planning
Authorization objects for the applications:
● Change management (character string C_AENR_*)
● Task lists (character string C_ROUT*)
● BOMs (character string C_STUE_*)
PS Project System
Note
In WWI and Expert Server Administration (transaction CGSADM) you can create, delete, start, cancel, and
configure the WWI generation servers (WWI servers) and the Expert servers. For Expert, you can upload and
register Expert rules that are used to alter specification data.
SAP recommends that you grant authorization to transactions CG3Z and CG3Y restrictively since they may
allow uploading and downloading any files to or from the application server.
Security Guide for SAP S/4HANA 1709
316 P U B L I C SAP S/4HANA Business Applications13.5.1.4.3 Network and Communication Security
Your network infrastructure is important for protecting your system. Therefore, your network must support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit known bugs and security holes in network services on the
server machines.
The network topology for Product Safety and Stewardship is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply here. Details that specifically apply to Product Safety and Stewardship are described in the
following sections:
● Communication Channel Security [page 317]
This topic describes the communication paths and protocols.
● Network Security [page 318]
This topic describes the recommended network topology. It shows the appropriate network segments for the
various client and server components and where to use firewalls for access protection. It also includes a list of
the ports required.
● Communication Destinations [page 319]
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
13.5.1.4.3.1 Communication Channel Security
The following table lists the communication paths used by Product Safety and Stewardship for Process Industries,
the protocol used for the connection, and the type of data transferred.
Table 175:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
SAP PS&S for Process Indus RFC Business Partner -
tries Application Server to
SAP BP Application Server
SAP PS&S for Process Indus RFC Plant Maintenance -
tries Application Server to
SAP PM Application Server
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 317SAP Logistics Application RFC Logistics data for Report -
Server to SAP PS&S for Proc Shipping
ess Industries Application
Logistics data for Substance
Server
Volume Tracking
SAP PS&S for Process Indus ALE /IDOC Application data -
tries Application Server to
Dangerous Goods data and
SAP Logistics Application
Reports can be transferred to
Server
logistics systems
SAP Application Server to Ex RFC Application data Substance data may contain
pert Server corporate secrets such as
recipes.
SAP Application Server to RFC Application data, documents Usually MSDS or label data is
WWI generation server (WWI transferred. Depending on the
server) process, incident reports that
contain personal data or cor
porate secrets may also be
transferred.
SAP PS&S for Process Indus RFC Application data: -
tries Application Server to
For Global Label Manage
SAP Logistics Application
ment, material data is trans
Server
ferred from logistics system
to the Product Safety system
Only for Global Label Manage TCP/IP Label data Usually no sensitive data, de
ment systems with many pending on the usage of the
DB-specific protocol
WWI servers: label.
WWI server to SQL database
server
Note
Protect RFC connections with Secure Network Communications (SNC).
Use secure protocols (SSL, SNC) whenever possible.
13.5.1.4.3.2 Network Security
Ports
WWI generation servers (WWI servers) and Expert servers use Remote Function Call (RFC).
Security Guide for SAP S/4HANA 1709
318 P U B L I C SAP S/4HANA Business ApplicationsFor more information, see the document TCP/IP Ports Used by SAP Applications, which is located on the SAP
Service Marketplace at http://service.sap.com/ under Products Database & technology Security
Infrastructure Security .
13.5.1.4.3.3 Communication Destinations
The table below lists the communication destinations that are used by Product Safety and Stewardship for
Process Industries.
For a description of the purpose of the RFC destinations, see the Customizing activities mentioned for Product
Safety and Stewardship for Process Industries.
Table 176:
Destination Delivered Type User, Authorizations Description
Basic Data and No RFC RFC destination for
Business Partner
Tools Basic
Settings Specify
Environment
Parameters
Environment parame
ter DEST_BU
Basic Data and No RFC RFC destination for HR
Tools Basic
Settings Specify
Environment
Parameters
Environment parame
ter DEST_HR
Basic Data and No RFC RFC destination for
Plant Maintenance
Tools Basic
Settings Specify
Environment
Parameters
Environment parame
ter DEST_PM
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 319Basic Data and No RFC RFC destination of
Report Shipping
Tools Basic
Settings Specify
Environment
Parameters
Environment parame
ter DEST_SRE_DS
Basic Data and No RFC RFC destination for
Substance Volume
Tools Basic
Tracking
Settings Specify
Environment
Parameters
Environment parame
ter SVT_EHS_RFCDEST
Basic Data and No RFC Calling user Synchronous genera
tion of reports
Tools Basic
Settings Specify
Environment
Parameters
Environment parame
ter
WWI_GENSERVER_SYN
_DEST
Basic Data and No RFC Configured Background Background generation
Job user See Customiz of reports
Tools Report
ing activity Start WWI
Definition Window Dispatcher in
Wordprocessor Background
Integration (WWI)
Configuration of
Generation PCs
Configuration of
Generation Servers
Manual Configuration
of Generation Servers
Specify Generation
Servers
Maintain the destina
tion
Security Guide for SAP S/4HANA 1709
320 P U B L I C SAP S/4HANA Business ApplicationsGlobal Label No RFC Calling User Print and preview ta
bles in Global Label
Management
Management
Prerequisites for Global
Label Management
Define WWI Settings
Configure WWI
Server for Print
Request Generation
Global Label No RFC Calling User or Config Process print requests
ured background job in Global Label
Management
user Management
Prerequisites for Global
Label Management See Customizing activ
Define WWI Settings ity Background Jobs for
Processing Print
Configure WWI Requests
Server for Print
Request Generation
Basic Data and No RFC Calling User Determine secondary
data for specifications
Tools Basic
with Expert
Settings Manage
User Exits
Basic Data and No RFC Calling User Mass change of specifi
cation data with Easy
Tools Basic
Expert
Settings Specify
Environment
Parameters
Note
The WWI servers and the Expert servers are registering RFC servers.
For more information about setting up RFC destinations, see the Customizing for Product Safety and
Stewardshipunder Basic Data and Tools Tools Expert Set Up RFC Destination.
13.5.1.4.4 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system.
To manage the interface and to find out which file types are checked or blocked, use the virus scan profiles. Some
applications rely on default profiles, while others rely on application-specific profiles.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 321To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this
process, you also set up the default behavior. Here, SAP also provides the following default profiles:
Table 177:
Application Profile Allowed MIME Types Blocked MIME Types
Product Safety and Steward /CBUI/WWI_REPORT_GEN * -
ship for Process Industries
Global Label Management /CBGLMP_API/ * -
WWI_GET_CONTENT
When the application-specific virus scan profile is activated, this profile has the following impact:
● Documents generated by the WWI generation server (WWI server) are scanned for viruses
● Documents imported into Product Safety and Stewardship for Process Industries are scanned for viruses
13.5.1.4.5 Data Storage Security
For importing or exporting data between two SAP systems or an SAP system and an external system, Product
Safety and Stewardship for Process Industries uses transfer files.
After generating a transfer file either by exporting data or uploading a transfer file from a PC file system, the
transfer file is stored on the application server. If the export is started again or a new file is uploaded form a PC file
system, the transfer file that is stored on the application server will be overwritten.
Note
The transfer file of imported specification data is stored in file substance.dat on the application server. The
transfer file path is configured in logical path EHS_IMP_SUBSTANCES_PATH_2.
Using Logical Path and File Names to Protect Access
When importing or exporting data, Product Safety and Stewardship for Process Industries saves data in files in the
file system. Therefore, it is important to explicitly provide access to the corresponding files in the file system
without allowing access to other directories or files (also known as directory traversal). This is achieved by
specifying logical paths and file names in the system that map to the physical paths and file names. This mapping
is validated at runtime and if access is requested to a directory that does not match a stored mapping, then an
error occurs.
Security Guide for SAP S/4HANA 1709
322 P U B L I C SAP S/4HANA Business ApplicationsThe following lists show the logical file names and paths used when importing or exporting data, and for which
programs these file names and paths apply:
Logical File Names Used in Export and Import
The following logical file names have been created in order to enable the validation of physical file names:
Table 178:
Logical File Names Programs Using these Logical File Names
EHS_EXP_PHRASES_2 Export of Phrase Libraries
EHS_EXP_ PROPERTY_TREE_2 Export of Property Tree
EHS_EXP_SOURCES_2 Export of Sources
EHS_EXP_SUBSTANCES_2 Export of Specification Master Data
EHS_EXP_TEMPLATE_2 Export of Report Templates
EHS_IMP_PHRASES_2 Import of Phrase Libraries
EHS_IMP_ PROPERTY_TREE_2 Import of Property Tree
EHS_IMP_SOURCES_2 Import of Sources
EHS_IMP_SUBSTANCES_2 Import of Specification Master Data
EHS_IMP_TEMPLATE_2 Import of Report Templates
EHS_IMP_REPORT_2 Import of Reports
EHS_FTAPPL_2 Uploade File; Downloade File
Logical Path Names Used During Export and Import
These logical file names use the following logical file path:
Table 179:
Logical File Names Logical Path Names
EHS_EXP_PHRASES_2 EHS_EXP_PHRASES_PATH_2
EHS_EXP_PROPERTY_TREE_2 EHS_EXP_PROPERTY_TREE_PATH_2
EHS_EXP_SOURCES_2 EHS_EXP_SOURCES_PATH_2
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 323EHS_EXP_SUBSTANCES_2 EHS_EXP_SUBSTANCES_PATH_2
EHS_EXP_TEMPLATE_2 EHS_EXP_TEMPLATE_PATH_2
EHS_FTAPPL_2 EHS_FTAPPL_PATH_2
EHS_IMP_PHRASES_2 EHS_IMP_PHRASES_PATH_2
EHS_IMP_PROPERTY_TREE_2 EHS_IMP_PROPERTY_TREE_PATH_2
EHS_IMP_REPORT_2 EHS_IMP_REPORT_PATH_2
EHS_IMP_SOURCES_2 EHS_IMP_SOURCES_PATH_2
EHS_IMP_SUBSTANCES_2 EHS_IMP_SUBSTANCES_PATH_2
EHS_IMP_TEMPLATE_2 EHS_IMP_TEMPLATE_PATH_2
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log
(transaction SM19).
Relevant audit log numbers:
● DUA – EHS-SADM: Service &A on client &B created
● DUB – EHS-SADM: Service &A on client &B started
● DUC – EHS-SADM: Service &A on client &B stopped
● DUD – EHS-SADM: Service &A on client &B stopped
● DUE – EHS-SADM: Configuration of service &A on client &B was changed
● DUF – EHS-SADM: File &A from client &B transferred
● DUG – EHS-SADM: File &A transferred to client &B
13.5.1.4.5.1 Data Storage on WWI Servers and Expert Servers
Windows Wordprocessor Integration (WWI) and Expert read data from the SAP system using Remote Function
Call (RFC), process data, and store the results in the database of the SAP system. That is, the WWI generation
server (WWI server) and the Expert server save configuration data and cached data locally.
Note
Make sure that only as few users as possible can access the Windows servers that run the WWI server and the
Expert server.
Security Guide for SAP S/4HANA 1709
324 P U B L I C SAP S/4HANA Business ApplicationsTo apply access permissions in Windows, execute the following steps for the following folders.
For more information on access control and on security auditing, see the Windows Help.
To configure access control for a local file or folder, proceed as follows:
1. Start the Windows Explorer.
2. In the context menu of the file or the folder that you want to audit, choose Properties, and go to the Security
tab page.
3. Choose Edit.
4. Add or remove the user names and set the permissions for each user.
Note
To improve data storage security, you can apply Windows file system encryption to the folders that hold
sensitive data.
Expert Cache
If you use the specification data cache of Expert, it stores copies of the specification data locally in the Expert
server file system. The root folder of the cache is determined in the registry at HKEY_LOCAL_MACHINE\SOFTWARE
\Wow6432Node\TechniData\EHS-AddOns\CacheRoot.
To protect data, make sure that you set appropriate access permissions on the configured root folder of the
cache. Grant read or write access only to LocalSystem, to administrators and to selected users.
Expert Rules
Apply access permissions to the Expert rules directory. Expert rules are programs that are executed by Expert
altering specification data. Make sure that the rules are not altered by unauthorized users.
The rules are usually stored in the Rules folder of the Expert installation, but each rule can be configured
separately in the Windows Registry. For more information on the paths to the rules files, see
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TechniData\EHS-AddOns\Instances.
Set appropriate access permissions on the Expert rules folder. Grant access only to LocalSystem,to
administrators and to selected users.
WWI Root Directory
WWI temporarily stores data in the Windows file system to process data in the WWI root directory.
If an error occurs, the temporary files might remain in the root directories. We recommend cleaning up the folder
regularly.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 325The path that indicates the WWI root directory depends on the process. For more information about the path,
check the Customizing settings for Product Safety and Stewardship for Process Industries.
● For synchronous generation, check the environment parameter WWI_GENSERVER_SYN_ANCHOR under
Basic Data and Tools Basic Settings Specify Environment Parameters
● For background generation, check the WWI root under Basic Data and Tools Report Definition
Windows Wordprocessor Integration (WWI) Configuration of Generation PCs Configuration of Generation
Servers Manual Configuration of Generation Servers Specify Generation Servers
● For Global Label Management, check the temporary directory for synchronous WWI server under Global
Label Management Set Basic Data and Tools for Global Label Management Make Settings for Basic
Data
● For print request processing in Global Label Management, check HKEY_CLASSES_ROOT\WWIDOCUMENT
\AnchorRoot in the Windows registry.
Grant access on the WWI root folders only to LocalSystem,to administrators and to selected users.
WWI Print Request Cache for Global Label Management
WWI caches templates and generated labels in the Windows file system.
The path that indicates the Windows file system is configured in the WWI.INI file under [DMS]. Set the
appropriate access permissions on the WWI root directories. Grant read or write access only to the WWI user, to
the LocalSystem, to administrators and to selected users.
The database file or database connection is configured under dbConnection in the WWI.INI file: Set appropriate
access permissions on the database file or in the configured database management system. Grant access only to
the WWI user, to LocalSystem,to administrators and to selected users.
13.5.1.4.6 Dispensable Functions with Impacts on Security
You can compile and display system information for Windows Wordprocessor Integration (WWI) as follows:
● You can display system information in the WWI Monitor (transaction CG5Z): In the menu, choose Utilities
Test Server
● In WWI.INI, under [Global], enter as DisableWwiServerInfo the value 1. This prevents external access to the
WWI system information (through the WWI Server Monitor, for example). The default value is 0.
Security Guide for SAP S/4HANA 1709
326 P U B L I C SAP S/4HANA Business Applications13.5.1.4.7 Security for Additional Applications
Windows Authorization for Windows Wordprocessor Integration
Windows Wordprocessor Integration (WWI) requires a Windows user account that is used to run the WWI
generation server services. This is because many printer settings and settings for Microsoft Word are user-
specific.
As an abbreviation, the user account is called WWI user.
● Create a new Windows user. This user is used to execute the WWI generation server (WWI server). The user
can be a local user or a domain user. We recommend creating a local user, for example, WWI-USER. Assign
this user to the Main users group or the Users group. Use a password that does not expire.
● In Microsoft Windows Vista, in Microsoft Windows Server 2008 and higher releases, assign the WWI user to
the administrators group.
● If the user is a domain user, ensure that the profile of the user is local.
● Check the security settings for the user that is used to execute the WWI server:
○ The user must have the Log on as a service authorization. In Microsoft Windows XP, Microsoft Windows
Server 2003 and higher releases, also set this authorization for users of the administrators group. You
can find this authorization in the Control Panel under Administrative Tools Local Security Policy .
Navigate to Local Policies User Rights Assignment . Here, you assign the user privileges to the
guideline Log on as a service.
○ Check the DCOM start authorization and access authorization for Microsoft Word using the
DCOMCNFG.EXE configuration program. For more information, see the SAP Note 580607 .
○ Ensure that the user has write (change) authorization for the WWI root directory. We recommend using a
local directory. The WWI work directory is configured in the Specify Generation Servers Customizing
activity.
○ Make sure that the Microsoft Windows TEMP directory exists. The TEMP directory is configured in
Microsoft Windows under Control Panel System Advanced Environment Variables . There,
check the user variables and system variables TMP and TEMP.
○ Ensure that the user has write (change) authorization for the Microsoft Windows TEMP directory.
For further information, see SAP Note 580586 .
Windows Authorization for Expert
The Expert server service is run as a local system account.
Windows Authorization for Administration Management Server
The Administration Management Server service is run as a local system account.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 32713.5.1.4.8 Security-Relevant Logging and Tracing
Windows Wordprocessor Integration (WWI) and Expert log all processing information in the Windows Application
Event Log. A separate Security Log for WWI and Expert does not exist. For security relevant information from
Windows, check the Windows Security Event Log.
For more information on maintaining a secure environment in Windows servers, check the Microsoft Windows
Security Guide and the Microsoft Security Compliance Manager.
Tracking Configuration Changes
To track configuration changes of WWI and Expert Server Administration that are executed by WWI and Expert
Server Administration (transaction CGSADM), enable the security audit log in the Security Audit (transaction SM19).
Relevant audit log numbers:
● DUA – EHS-SADM: Service &A on client &B created
● DUB – EHS-SADM: Service &A on client &B started
● DUC – EHS-SADM: Service &A on client &B stopped
● DUD – EHS-SADM: Service &A on client &B stopped
● DUE – EHS-SADM: Configuration of service &A on client &B was changed
● DUF – EHS-SADM: File &A from client &B transferred
● DUG – EHS-SADM: File &A transferred to client &B
For more information on configuration changes, change documents are used. Creating change documents in WWI
and Expert Server Administration is enabled by default. To switch off the creation of change documents, set the
environment parameter CGSADM_NO_CHANGE_DOCS in the Specify Environment Parameters Customizing activity
to X.
To display change documents, start the program RSSCD110 (Display change documents (cross-client)) and
choose object class ESSADM.
Tracking Configuration with Windows Features
To track WWI and Expert configuration changes, enable auditing in the Windows file system. For more information
on Access Control and Security Auditing, see the Windows Help.
Before setting up auditing for files and folders, enable object access auditing by defining auditing policy settings
for the object access event category.
To define or modify auditing policy settings for an event category for your local computer, proceed as follows:
1. Choose Control Panel Administrative Tools Local Security Policy.
2. In the console tree, go to Local Policies Audit Policy.
3. 3.In the results pane, choose Audit object access to enable the auditing policy settings.
Security Guide for SAP S/4HANA 1709
328 P U B L I C SAP S/4HANA Business ApplicationsTo configure auditing settings for a local file or folder, proceed as follows:
1. Open Windows Explorer.
2. In the context menu of the file or folder that you want to audit, choose Properties and go to the Security tab
page.
3. Choose Edit, and then choose Advanced.
4. In the Advanced Security Settings go to the Auditing tab page.
To configure auditing settings for a registry key:
1. Open Registry Editor.
2. Go to the registry key.
3. In the context menu of the registry key that you want to audit, choose Permissions.
4. On the Security tab page, choose Advanced.
5. In the Advanced Security Settings, choose the Auditing tab page.
Windows Wordprocessor Integration (WWI)
For WWI, the following files and folders must be covered by change auditing:
● WWI.INI
● SAPRFC.INI
● GRAPHICS
● Registry key: HKEY_CLASSES_ROOT\WWIDOCUMENT
Expert
For Expert, the following files and folders must be covered by change auditing:
● SAPRFC.INI
● RULES
● Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TechniData\EHS-AddOns\Instances
For 32bit systems, omit Wow6432Node
● Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TechniData\EHS-AddOns\Systems
For 32bit systems, omit Wow6432Node
13.5.2 Enterprise Portfolio and Project Management
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 32913.5.2.1 Project System
13.5.2.1.1 Deletion of Personal Data
Use
The Project System might process data (personal data) that is subject to the data protection laws applicable in
specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion
of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at
http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 180:
Application Detailed Description Provided Deletion Functionality
Project System (PS) The archiving objects are used for ar Archiving Objects:
chiving and deleting operative objects ● PS_PROJECT
and standard networks in the Project
● PS_PLAN
System
Relevant Application Objects and Available EoP/WUC functionality
Table 181:
Application Implemented Solution (EoP or WUC) Further Information
Project System (PS) EoP An end of purpose check determines
whether data is still relevant for business
activities based on the retention period
defined for the data. This check is deter
mined based on the date on which the
network activity is set to the closed sta
tus. For more information, refer to sec
tions Process Flow and Configuration:
Simplified Blocking and Deletion.
Security Guide for SAP S/4HANA 1709
330 P U B L I C SAP S/4HANA Business ApplicationsApplication Implemented Solution (EoP or WUC) Further Information
Project System (PS) WUC A where-used check is a simple check to
ensure data integrity in case of potential
blocking. The WUC in application Project
System checks whether any dependent
data exists for:
● A certain customer in RSADD,
VSRSADD_CN, COFP, COER,
QMSM, QMUR, QMEL, IHPA.
● A certain vendor in RSADD,
VSRSADD_CN, AFVC, VSAFVC_CN,
RESB, VS_RESB_CN, COFP, QMSM,
QMUR, QMEL, IHPA.
● A certain contact person in QMSM,
QMUR, IHPA.
● A certain cBP in AD01DLI,
PSACL_TAB.
Note
If dependent data exists, that is, if the
data is still required for business ac
tivities, the system does not block the
corresponding customer, vendor, or
cBP. If you still want to block data,
the dependent data must be deleted
by using the existing archiving and
deletion tools or by using any other
customer-specific solution.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
3. You do the following:
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA).
○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner.
○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).
○ Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 3314. Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and
CVP_UNBLOCK_MD.
6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of PS.
For information about how to configure blocking and deletion for PS, see Configuration: Simplified Blocking and
Deletion.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection .
● Define the settings for authorization management under Data Protection Authorization Management .
For more information, see the Customizing documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data
Protection Blocking and Unblocking of Data Business Partner .
● You configure the settings related to the blocking and deletion of customer and vendor master data in
Customizing for:
○ Logistics - General Business Partner Deletion of Customer and Supplier Master Data
13.5.2.2 Commercial Project Management
13.5.2.2.1 Authorizations
The following section provides an overview of the authorizations that apply to Commercial Project Management.
Based on your business needs, you can choose one of the following component combinations as a deployment
option:
Deployment Option Project Workspace Project Cost and Project Issue and SAP BusinessObjects
Revenue Planning Change Management Analysis for Microsoft
Office
Option 1 x x x x
Option 2 x x x
Option 3 x x x
Option 4 x x
The following standard roles and standard authorization objects can be used based on the option you have
deployed.
Standard Roles
Security Guide for SAP S/4HANA 1709
332 P U B L I C SAP S/4HANA Business ApplicationsCommercial Project Management
Role Description
SAP_BPR_CPD_USER_1 Provides Display authorizations for Commercial Project
Management.
Project Workspace
Role Description
SAP_SR_CPD_PWS_USER_1 Provides Display authorizations for Commercial Project
Management.
SAP_SR_CPD_PM_1 Allows the creation, change, and display of commercial
projects and financial plans and provides authorizations to
users working as project managers.
SAP_SR_CPD_PICM_PM_1 Provides Create, Change, and Display authorizations for
objects in Project Issue and Change Management.
SAP_BR_PRJTEAMMEMBER_COMMPRJ Allows team members to use the following Fiori app:
● Commercial Projects: Activities
SAP_BR_PROJECTMGR_COMMPRJ Allows project managers to use the following Fiori apps:
● Commercial Projects: Activities
● Commercial Projects: Multiproject Overview
● Commercial Projects: Single-Project Overview
● Commercial Projects: Billing and Receivables Overview
● Commercial Projects: Procurement Overview
Project Cost and Revenue Planning
Role Description
SAP_SR_CPD_PFP_USER_1 Provides Display authorizations for objects relevant to
Project Cost and Revenue Planning.
SAP_SR_CPD_PM_1 Allows the creation, change, and display of commercial
projects and financial plans. The role provides authorizations
to users working as project managers.
SAP_SR_CPD_PICM_PM_1 Provides Create, Change, and Display authorizations for
objects in Project Issue and Change Management.
Project Issue and Change Management
Role Description
SAP_SR_CPD_PICM_USER_1 Provides Display authorizations for objects in Project Issue
and Change Management.
SAP_SR_CPD_PICM_PM_1 Provides Create, Change, and Display authorizations for
objects in Project Issue and Change Management.
Standard Authorization Objects
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 333Project Workspace
Authorization Object Description
● /CPD/MP Authorization object to determine the kind of activity that a
user can perform on a commercial project (including the
specific areas of a commercial project).
● /CPD/ANLY Authorization object for Analytics.
● /CPD/MC Authorization object for checklist activities.
● /CPD/OAUTH Authorization object to override access control.
Project Cost and Revenue Planning
Authorization Object Description
● /CPD/FPH Authorization object for the financial plan.
● S_TCODE Authorization object that performs a transaction code check
at the start of a transaction.
● S_RS_AUTH BW and AO authorization objects for Project Cost and
● S_RS_COMP Revenue Planning.
● S_RS_COMP1
● S_RS_ALVL Note
● S_RS_PLSE To launch the Excel workbook from a financial plan, the
● S_RS_PC user''s role requires the authorization object S_RS_AO. The
● S_RS_PLSQ DISPLAY activity is required to launch and display the
workbook. Other activities such as CREATE, CHANGE, and
DELETE must only be assigned to users who are
authorized to create, change, or delete workbooks.
Project Issue and Change Management
Authorization Object Description
● PICM_STAT Authorization object to check if the user has the authority to
change lifecycle status of the activity.
● PICM_ISTAT Authorization object to check if the user has the authority to
change lifecycle status of the issue or change request.
● /IAM/OREF Authorization object for reference objects for issue, change
request, and activity.
● IAM_CAT_AC Authorization to restrict access to the worklist object of
Project Issue and Change Management.
● /IAM/AAUTH Authorization object for activity.
● /IAM/ATTMT Authorization object for attachments for issue and activity.
● /IAM/A_ATTR Authorization object for attribute maintenance for activity.
Security Guide for SAP S/4HANA 1709
334 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
● IAM_CODEGR Authorization object for code groups.
● /IAM/TXTTY Authorization object for descriptions.
● /IAM/IAUTH Authorization object for issue requests.
● IAM/A_STAT Authorization object for lifecycle status (activity).
● IAM/I_STAT Authorization object for lifecycle status (issue).
● IAM/A_RLCD Authorization object for role codes in activity.
● IAM/I_RLCD Authorization object for role codes in issue.
● /IAM/CODGR Authorization object for selection of code groups, codes.
13.5.2.2.2 Data Storage Security
In Commercial Project Management, the header data of the financial plan is stored in the database tables of
Project Cost and Revenue Planning.
● Data is saved in the database tables of Project Cost and Revenue Planning when the user explicitly chooses
the Save pushbutton on the financial planning screen.
● The planning data is stored in the BW InfoCube and can be transferred to the S4CORE database tables by the
user.
● Data is saved in the BW InfoCube when the user explicitly chooses the Save Data pushbutton in the Analysis
Office workbook.
● Data is saved in S4CORE database tables when the user explicitly chooses the Transfer Data pushbutton on
the financial planning screen.
13.5.2.2.3 Data Archiving
13.5.2.2.3.1 Archiving Commercial Projects
You can use Archiving Object for Commercial Projects (/CPD/PWS_M) to archive commercial projects that are no
longer needed. Archiving allows you to reduce the load on your database.
Structure
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 335Tables
Table 182: Tables for Commercial Projects
Table Description
/CPD/S_MP_HDR_K Commercial Project Header
/CPD/D_MP_HDR_S Commercial Project Header Short Text
/CPD/D_MP_ITEM Commercial Project Structure Elements
/CPD/D_MP_MEMBER Project Member
/CPD/D_MP_REP_AT Reporting Attribute Node
/CPD/D_MP_RESP Responsibility Node
/CPD/D_MP_STATUS Status Header
/CPD/D_MP_ST_ARV Table for Status Area Version
/CPD/D_MP_ST_HRA Status Header Area
/CPD/D_MP_ST_VHR Status Versions
/CPD/D_MP_TEAM Team
/CPD/D_MP_TEAM_M Team Member Subnode
/CPD/D_MP_TEAM_R Team Role Subnodes
Programs
The following programs are available for /CPD/PWS_M:
● Preprocessing: /CPD/PWS_ARCH_MP_PRE
This program makes the following checks for commercial projects:
If both these conditions are satisfied, the program sets the archiving status of the commercial project to
Archiving in Process (02).
● Write: /CPD/PWS_ARCH_MP_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /CPD/PWS_ARCH_MP_DELETE
This program verifies archived files against the data in the database, and deletes all objects in the database
that have been successfully archived.
Information Lifecycle Management (ILM)
Information Lifecycle Management (ILM) allows you to define rules for storing archived business data, set legal
holds on stored data, and destroy the data in adherence to legal requirements.
The ILM object CPD_PWS_M is available for commercial projects and this ILM object allows you to model retention
rules based on the following fields:
● Condition Fields
Security Guide for SAP S/4HANA 1709
336 P U B L I C SAP S/4HANA Business Applications○ Archiving Status
○ Commercial Project Type
○ Organization
● Time Reference Fields
○ End Date
You can use the transaction IRMPOL to define policies and rules for ILM.
Prerequisites
The prerequisites for Retention Management are:
● You have activated the business function ILM
● You have assigned the following objects to an audit area:
○ CPD_PWS_M
More Information
To change the residence time, you can make settings in Customizing for Cross-Application Components under
Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment
Archiving Adapter Maintain BO-Specific Residence Periods .
13.5.2.2.3.2 Archiving Financial Plans
You can use Archiving Object for Financial Plans (/CPD/PFP_P) to archive financial plans that are no longer
needed. Archiving allows you to reduce the load on your database.
Structure
Tables
Table 183: Tables for Financial Plans
Table Description
/CPD/D_PFP_PH Plan Header
/CPD/D_PFP_PV Plan Version
/CPD/D_PFP_PS Plan Structure
/CPD/D_PFP_PER Plan Exchange Rate
/CPD/D_PFP_PHTXT Plan Header Text
/BOBF/D_ATF_RT Attachment Root
/BOBF/D_ATF_DO Attachment Document
/BOBF/D_TXCROOT Text Collection Root
/BOBF/D_TXCTXT Text Collection Text
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 337Table Description
/BOBF/D_TXCCON Text Collection Text Content
Programs
The following programs are available for /CPD/PFP_P:
● Preprocessing: /CPD/PFP_ARCH_PH_PRE
This program checks whether a financial plan is ready for archiving. A financial plan is ready for archiving
when:
○ Related financial plan versions have a status that indicates completion.
○ All related change requests and change request alternatives are ready for archiving, with the status as
Archiving in Process (02). This is only applicable if you are also using Project Issue and Change
Management.
○ The financial plan has a status that indicates completion.
If the object is ready, this program sets the status as Archiving in Process (02) in the database.
Note
After the preprocessing program has run, the objects marked for archiving are no longer made available on
the UI. The program also deletes corresponding data from the real-time InfoCube (/CPD/PFP_R01) and
transfers the data into the InfoCube for archiving (/CPD/PFP_C01).
● Write: /CPD/PFP_ARCH_PH_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /CPD/PFP_ARCH_PH_DELETE
This program verifies archived files against the data in the database; and deletes all objects in the database
that have been successfully archived.
Information Lifecycle Management (ILM)
Information Lifecycle Management (ILM) allows you to define rules for storing archived business data, set legal
holds on stored data, and destroy the data in adherence to legal requirements.
The ILM object CPD_PFP_P is available for financial plans and this ILM object allows you to model retention rules
based on the following fields:
● Condition Fields
○ Plan Scenario ID
○ Plan Type ID
○ Archiving Status
● Time Reference Fields
○ End Date
You can use the transaction IRMPOL to define policies and rules for ILM.
Prerequisites
The prerequisites for Retention Management are:
● You have activated the business function ILM
Security Guide for SAP S/4HANA 1709
338 P U B L I C SAP S/4HANA Business Applications● You have assigned the following objects to an audit area:
○ CPD_PFP_P
More Information
To change the residence time, you can make settings in Customizing for Cross-Application Components under
Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment
Archiving Adapter Maintain BO-Specific Residence Periods .
13.5.2.2.3.3 Archiving Issues and Change Requests
You can use Archiving Object for Issues and Change Requests (/PICM/BO_I) to archive issues and change
requests that are no longer needed. Archiving allows you to reduce the load on your database.
Structure
Tables
Table 184: Tables for Issues and Change Requests
Table Description
/BOBF/D_ATF_DO Document node of attachment folder
/BOBF/D_ATF_RT Root nodes of attachment folder
/BOBF/D_TXCCON Text content
/BOBF/D_TXCROOT Root node of text collection
/BOBF/D_TXCTXT Text
/IAM/D_I_ATT Attachment
/IAM/D_I_DATE Date
/IAM/D_I_DESC Description node
/IAM/D_I_DESC_TX Language-dependent description text node
/IAM/D_I_OBJ_REF Issue reference node
/IAM/D_I_OREF_DT Language-dependent, reference, description text node
/IAM/D_I_PARTY Party node
/IAM/D_I_QTY Quantity
/IAM/D_I_ROOT Root node
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 339Programs
The following programs are available for /PICM/BO_I:
● Preprocessing: /PICM/ARCH_ISSUE_CR_ROOT_PRE
This program checks if an object is ready for archiving by verifying the following conditions:
○ The adherence to the specified residence time
○ The availability of activities for the object
If the object is ready, this program sets the status as Archiving in Process (02) in the database. After the
preprocessing program has run, the objects marked for archiving are no longer made available on the UI.
● Write: /PICM/ARCH_ISSUE_CR_ROOT_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /PICM/ARCH_ISSUE_CR_ROOT_DEL
This program verifies archived files against the data in the database; and deletes all objects in the database
that have been successfully archived..
More Information
To change the residence time, you can make settings in Customizing for Cross-Application Components under
Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment
Archiving Adapter Maintain BO-Specific Residence Periods .
13.5.2.2.3.4 Archiving Activities
You can use Archiving Object for Activities (/PICM/BO_A) to archive activities that are no longer needed. Archiving
allows you to reduce the load on your database.
Structure
Tables
Table 185: Tables for Activities
Table Description
/BOBF/D_ATF_DO Document node of attachment folder
/BOBF/D_ATF_RT Root nodes of attachment folder
/BOBF/D_TXCCON Text content
/BOBF/D_TXCROOT Root node of text collection
/BOBF/D_TXCTXT Text
/IAM/D_ACT_ATT Attachment
/IAM/D_ACT_DATE Date
/IAM/D_ACT_DESC Description node
Security Guide for SAP S/4HANA 1709
340 P U B L I C SAP S/4HANA Business ApplicationsTable Description
/IAM/D_ACT_DTXT Language-dependent description text node
/IAM/D_ACT_FOA Follow-up action
/IAM/D_ACT_FOA_P Follow-up action parameter
/IAM/D_ACT_OBJ_RF Object reference
/IAM/D_ACT_OREF_DT Language-dependent description texts
/IAM/D_ACT_PARTY Party
/IAM/D_ACT_QTY Activity quantity
Programs
The following programs are available for /PICM/BO_A:
● Preprocessing: /PICM/ARCH_ACTIVITY_ROOT_PPROC
This program checks if an object is ready for archiving by verifying the adherence to the specified residence
time. If the object is ready, this program sets the status as Archiving in Process (02) in the database. After the
preprocessing program has run, the objects marked for archiving are no longer made available on the UI.
● Write: /PICM/ARCH_ACTIVITY_ROOT_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /PICM/ARCH_ACTIVITY_ROOT_DEL
This program verifies archived files against the data in the database; and deletes all objects in the database
that have been successfully archived.
More Information
To change the residence time, you can make settings in Customizing for Cross-Application Components under
Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment
Archiving Adapter Maintain BO-Specific Residence Periods .
13.5.2.2.3.5 Archiving Checklists Headers and Items
You can use the archiving objects Checklist Headers (/CPD/MC_H) and Checklist Items (/CPD/MC_I) to archive
checklist headers and items that are no longer needed. Archiving allows you to reduce the load on your database.
Structure
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 341Tables
Table 186: Tables for Checklist Headers
Table Description
/BOBF/D_ATF_DO Document node of attachment folder
/BOBF/D_ATF_RT Root nodes of attachment folder
/BOBF/D_TXCCON Text content
/BOBF/D_TXCROOT Root node of text collection
/BOBF/D_TXCTXT Text
/IAM/D_I_ATT Attachment
/IAM/D_I_DATE Date
/IAM/D_I_DESC Description node
/IAM/D_I_DESC_TX Language-dependent description text node
/IAM/D_I_OBJ_REF Issue reference node
/IAM/D_I_OREF_DT Language-dependent, reference, description text node
/IAM/D_I_PARTY Party node
/IAM/D_I_QTY Quantity
/IAM/D_I_ROOT Root node
Table 187: Tables for Checklist Items
Table Description
/BOBF/D_ATF_DO Document node of attachment folder
/BOBF/D_ATF_RT Root nodes of attachment folder
/BOBF/D_TXCCON Text content
/BOBF/D_TXCROOT Root node of text collection
/BOBF/D_TXCTXT Text
/IAM/D_ACT_ATT Attachment
/IAM/D_ACT_DATE Date
/IAM/D_ACT_DESC Description node
/IAM/D_ACT_DTXT Language-dependent description text node
Security Guide for SAP S/4HANA 1709
342 P U B L I C SAP S/4HANA Business ApplicationsTable Description
/IAM/D_ACT_FOA Follow-up action
/IAM/D_ACT_FOA_P Follow-up action parameter
/IAM/D_ACT_OBJ_RF Object reference
/IAM/D_ACT_OREF_DT Language-dependent description texts
/IAM/D_ACT_PARTY Party
/IAM/D_ACT_QTY Activity quantity
Programs
The following programs are available for /CPD/MC_H:
● Preprocessing: /CPD/ARCH_MC_HEADER_PRE
This program checks if an object is ready for archiving by verifying the following conditions:
○ The adherence to the specified residence time
○ The availability of activities for the object
If the object is ready, this program sets the status as Archiving in Process (02) in the database. After the
preprocessing program has run, the objects marked for archiving are no longer made available on the UI.
● Write: /CPD/ARCH_MC_HEADER_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /CPD/ARCH_MC_HEADER_DELETE
This program verifies archived files against the data in the database; and deletes all objects in the database
that have been successfully archived..
The following programs are available for /CPD/MC_I:
● Preprocessing: /CPD/ARCH_MC_ITEM_PRE
This program checks if an object is ready for archiving by verifying the adherence to the specified residence
time. If the object is ready, this program sets the status as Archiving in Process (02) in the database. After the
preprocessing program has run, the objects marked for archiving are no longer made available on the UI.
● Write: /CPD/ARCH_MC_ITEM_WRITE
This program checks if an object has the status Archiving in Process (02). If the status is 02, the program
archives the object to the archive file.
● Delete: /CPD/ARCH_MC_IEM_DELETE
This program verifies archived files against the data in the database; and deletes all objects in the database
that have been successfully archived.
Information Lifecycle Management (ILM)
Information Lifecycle Management (ILM) allows you to define rules for storing archived business data, set legal
holds on stored data, and destroy the data in adherence to legal requirements.
The ILM objects CPD_MC_H and CPD_MC_I are available for checklist headers and items respectively, and these
ILM objects allow you to model retention rules based on the following fields:
● Condition Field
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 343○ APPLICATION
● Time Reference Fields
○ Last Changed On
Note
The date of the last change of the checklist headers and items is considered in the time reference field.
Note
When you create retention rules for a checklist item, ensure that the retention time specified does not exceed
the retention time specified for the parent (checklist header).
You can use the transaction IRMPOL to define policies and rules for ILM.
Prerequisites
The prerequisites for Retention Management are:
● You have activated the business function ILM
● You have assigned the following objects to an audit area:
○ o CPD_MC_H
○ o CPD_MC_I
More Information
To change the residence time, you can make settings in Customizing for Cross-Application Components under
Processes and Tools for Enterprise Applications Reusable Objects and Functions for BOPF Environment
Archiving Adapter Maintain BO-Specific Residence Periods .
13.5.2.2.4 Deletion of Personal Data
The Commercial Project Management applications might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data.
Project Workspace
Relevant Application Objects and Available Deletion Function
Application Detailed Description Deletion Function
Project Workspace Project Workspace stores personal The ILM-enabled deletion program for
information of business partners for the commercial projects: /CPD/
Team function. PWS_ARCH_MP_DELETE
Security Guide for SAP S/4HANA 1709
344 P U B L I C SAP S/4HANA Business ApplicationsRelevant Function Modules
Application Function Module Description
Project Workspace Risk /CPD/BUPA_EOP_CHECK You can use this API to check the
Management retention period of business partners.
Project Workspace Risk /CPD/RM_BUPA_EVENT_ARCH1 You can use this API to archive business
Management partners.
Project Workspace Risk /CPD/RM_BUPA_EVENT_DELE1 You can use this API to delete business
Management partners.
Project Workspace /CPD/PWS_WS_BUPA_EOP_CHECK You can use this function module for the
end of purpose check.
Relevant Programs
Application Program Description
Project Workspace /CPD/R_DPP_CONTACT_PERSON_S4H This program is relevant for contact
persons who have been added using the
Create Contact feature in the Define
Commercial Project Types view in
Customizing for Commercial Project
Management Master Data
Commercial Project Make Settings for
Commercial Projects .
When a contact person leaves a
company, to comply with data privacy
and protection rules, you can use this
program to identify all the projects that
this person is assigned to; and then
proceed to delete the contact from all
projects in one go.
Project Cost and Revenue Planning
The Project Cost and Revenue Planning application (CA-CPD-FP) does not use SAP ILM to support the deletion of
personal data since the data required for transactional purposes is stored in a BW InfoCube.
Relevant Application Objects and Available Deletion Function
Application Detailed Description Deletion Function
Project Cost and Revenue Planning Project Cost and Revenue Planning The deletion program /CPD/
stores personal information of business PFP_EMP_DATA_CONSISTENCY checks
partners only when resources are the HR master and delete information
planned together with SAP from the InfoCube, for employee
Multiresource Scheduling (MRS). This records that are not found in the HR
information is then stored in a BW master.
InfoCube, for real-time planning.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 345Project Issue and Change Management
Relevant Application Objects and Available Deletion Function
Application Detailed Description Deletion Function
Project Issue and Change Management Project Issue and Change Management ● The ILM-enabled deletion program
stores personal information of business for issues and change requests: /
partners for the Partner function. PICM/ARCH_ISSUE_CR_ROOT_DEL
● The ILM-enabled deletion program
for activities: /PICM/
ARCH_ACTIVITY_ROOT_DEL
● Function module to check (before
deletion) if business partner is used
in the application: /PICM/
BUPA_EVENT_DELE1
Relevant Function Modules
Application Function Module Description
Project Issue and Change Management /PICM/BUPA_EOP_CHECK You can use this function module for the
end of purpose check.
13.5.2.2.5 Security-Relevant Logging and Tracing
The Project Cost and Revenue Planning application of Commercial Project Management uses the tracing
functions of SAP BusinessObjects Analysis for Microsoft Office (AO) to trace actions performed in the planning
workbook (AO). You can also activate a trace file for Project Cost and Reveue Planning using the Activate Tracing
button on the Financial Planning ribbon. Details of the items are recorded in the trace file
(CACPDFP_TRACE_LOG.log). Note that the file does not record user-specific personal information such as user
name or IP address.
For information about tracing related to Analysis Office, see https://help.sap.com/viewer/p/
SAP_BUSINESSOBJECTS_ANALYSIS_OFFICE Installation, Configuration, Security and Administration
Administrator Guide .
13.5.2.2.6 Other Security-Relevant Information
Before you use the digitally-signed SAP BusinessObjects Analysis for Microsoft Office (AO) workbooks delivered
by Commercial Project Management, you must follow these steps:
Caution
These settings are valid if you want to use the workbooks in a secure way by only enabling digitally-signed
macros. However, if you use custom workbooks or make any changes and save it back to the standard, you
must enable all macros.
Security Guide for SAP S/4HANA 1709
346 P U B L I C SAP S/4HANA Business Applications1. Launch Microsoft Excel
1. Go to File Options Trust Center Settings Macro Settings
2. Choose Disable all macros except digitally signed macros
3. Mark the Trust access to the VBA project object model checkbox
2. Launch the digitally-signed workbook and implement the following steps to add the certificate as a trusted
publisher:
1. A security warning is show in File Info Enable Control
2. Seclect Advanced Options
3. In the next dialog box, select Trust all documents from this publisher
Note
Adding the certificate is a one-time activity
3. Follow these steps to change the default system in the workbook:
1. Go to File Commercial Project Settings
2. In the dialog box, choose Platform
3. Choose Replace System
4. Choose your relevant system in the Replace by System column
5. Save the workbook (with the correct standard workbook name) in the relevant system
13.5.2.3 SAP Portfolio and Project Management
13.5.2.3.1 Authorizations
Authorizations
In Project Management and Portfolio Management, authorizations are controlled in the following ways:
● ABAP authorization objects and roles
This is the standard method for controlling access to transactions and programs in an SAP ABAP system.
Authorizations are combined in an authorization profile that is associated with a role. User administrators can
then assign the corresponding roles via the user master record, so that the user can access the appropriate
transactions for his or her tasks.
● Access control lists
These allow you to add another level of security by controlling authorization at object level. For example, you
can control who has authorization to change a particular project definition.
You can define the menu options in the navigation area using portal content adjustments or PFCG role
Customizing.
● Roles for SAP Fiori apps
To use SAP Fiori Apps, users must be assigned to roles. These roles define which apps are displayed to the
user.
In Project Management only, you can use the following additional authorization mechanisms:
● System administrators can grant access to objects by choosing Portfolio and Project Administration
Project Authorization Administration in the application. This is an exception to the normal process and is
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 347only used if the administrator of the object is not available due to illness, for example. The system sends the
“new” and “old” administrators an e-mail to inform them of the new authorization holder. For more
information, see the Granting Administration Authorization for an Object section of the Configuration Guide for
SAP Portfolio and Project Management.
● System administrators can assign PFCG roles in Customizing for SAP Portfolio and Project Management
under Common Functions Define Superuser Authorizations . This ensures that the maintained PFCG
roles with the selected authorization will be automatically assigned to the corresponding project definition.
Authorizations regarding BAPIs, reports, and (RFC-enabled) function modules:
In SAP Portfolio and Project Management, multiple BAPIs, reports and (RFC-enabled) function modules are
available to create, read, change, edit, update, and delete the data of SAP Portfolio and Project Management.
Additionally, via (RFC-enabled) function modules and reports data is read from the SAP S/4HANA system.
Therefore, using these BAPIs, reports, and function modules access to and manipulation of Portfolio and Project
Management data as well as read access to SAP S/4HANA data is possible. Thus, the authorization for using
these BAPIs, reports, and function modules (via transactions, for example), should be restricted to users who are
intended to have these authorizations and the corresponding access to data.
Authorizations regarding search results
You can use the BAdI BADI_DPR_SEARCH to modify search results. You can filter the result set implementing this
BAdI depending on the specified search helps which exist for each Portfolio and Project Management object.
Thus, you can, for example, hide all results for which the user does not have read authorization from the result list.
In the standard, these results are displayed in the result list, but the user cannot open or display these objects.
Use
SAP Portfolio and Project Management uses the authorization concept provided by SAP NetWeaver for SAP S/
4HANA. Therefore, the recommendations and guidelines for authorizations as described in the Security Guide for
SAP NetWeaver for SAP S/4HANA also apply to SAP Portfolio and Project Management.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
You can maintain the following role authorizations in Project Management and Portfolio Management using the
SAP Profile Generator.
The following PFCG roles of SAP Portfolio and Project Management include authorizations to start the Web
Dynpro ABAP applications (authorization check S_START) for Project Management and Portfolio Management:
● SAP_CPR_USER
● SAP_XRPM_USER
For details see the particular roles in transaction PFCG and choose Authorizations Display Authorization Data
Cross-application Authorization Objects Start Authorization Check for TADIR Objects .
SAP recommends to adapt custom-specific roles accordingly.
Security Guide for SAP S/4HANA 1709
348 P U B L I C SAP S/4HANA Business ApplicationsProject Management Roles
The following single roles are delivered with Project Management:
Table 188:
Role Authorization
SAP_CPR_PROJECT_ADMINISTRATOR Create projects (project definitions).
SAP_CPR_TEMPLATE_ADMINISTRATOR Create, change, read, and delete all templates in Project Man
agement.
SAP_CPR_USER Use Project Management, but no authorization to perform any
activities in a particular project. To do this users need project-
specific authorizations, which can be distributed either di
rectly via ACLs or through their assignment to a role.
This role must be included in every Project Management com
posite role.
SAP_CPR_BCV_USER Project-Management-specific authorization for using BCV
content in resource management.
SAP_BPR_PPM SAP Portfolio and Project Management PFCG role for NW BC
The following composite roles are delivered with Project Management:
Table 189:
Role Authorization
SAP_CPR_DECISON_MAKER Decision maker in Project Management. Contains the role
SAP_CPR_USER.
SAP_CPR_INTERESTED Interested party in Project Management. Contains the role
SAP_CPR_USER.
SAP_CPR_MEMBER Team member in Project Management. Contains the role
SAP_CPR_USER.
SAP_CPR_PROJECT_LEAD Project manager in Project Management. Contains the role
SAP_CPR_PROJECT_ADMINISTRATOR and SAP_CPR_USER
SAP_CPR_BCV_USER_COMP Composite role containing the general role for using BCV
(SAP_BCV_USER) and the Project Management specific role
(SAP_CPR_BCV_USER).
SAP_CPR_TEMPLATE_RESPONSIBLE Project Management template responsible. Contains the roles
SAP_CPR_TEMPLATE_ADMINISTRATOR and SAP_CPR_USER
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 349Role Authorization
SAP_CPR_RESOURCE_MANAGER Resource manage in Project Management. Contains the role
SAP_CPR_USER.
You can use these SAP standard roles or create your own. For more information, see the Activating Single Roles
for Project Management section and the Creating Roles for the Project-Specific Authorization Checks section of the
Configuration Guide for SAP Portfolio and Project Management.
Portfolio Management Roles
For Portfolio Management, the following roles are available:
Table 190:
Roles Authorization
SAP_XRPM_ADMINISTRATOR Super user authorization in Portfolio Management. Used to
create new portfolios. This role also provides the assigned
user full access to all Portfolio Management business objects
in the system.
SAP_XRPM_USER General user in Portfolio Management. All users should be as
signed this role. Has general authorizations to use Portfolio
Management, but no specific object access. This access must
be assigned to the user via ACLs.
SAP_RPM_BCV_USER Portfolio Management specific authorization for BCV content
in Portfolio Management
SAP_RPM_BCV_USER_COMP Composite role containing the general role for using BCV
(SAP_BCV_USER) and the Portfolio Management specific role
(SAP_RPM_BCV_USER).
SAP_BPR_PPM PFCG role for NWBC in SAP Portfolio and Project Manage
ment
You can use these SAP standard roles or create your own. For more information about roles in Portfolio
Management, see the Activating Single Roles for Portfolio Management (PFCG) section and the Creating Roles for
the Portfolio-Specific Authorization Checks section of the Configuration Guide for SAP Portfolio and Project
Management.
Security Guide for SAP S/4HANA 1709
350 P U B L I C SAP S/4HANA Business ApplicationsSAP Fiori Roles
Table 191:
Roles Authorization
SAP_BR_PROJECTMANAGER Project Manager
SAP_BR_PROJECTTEAMMEMBER Project Team Member
SAP_BR_PORTFOLIOMANAGER Project Portfolio Manager
SAP_BR_PROJECT_OFFICE_SPEC Project Management Office Specialist
SAP_BR_PROGRAMMANAGER Program Manager
SAP_BR_PROJECT_RESOURCEMANAGER Project Resource Manager
SAP_BR_PROJECT_STEER_MEMBER Project Steering Committee Member
SAP Fiori roles need to be assigned on the front-end server on which the UIS4HOP1 software component is
installed. For more information and further implementation tasks on the front-end server, see the UI Technology
Guide for SAP S/4HANA.
13.5.2.3.2 Communication Channel Security
Table 192: SAP Portfolio and Project Management Communication Channel Security
Communication Channel Communication Technology Data Transferred Comment/Security Recom
mendation
SAP Portfolio and Project HTTP(S) Files, metadata, and user data
Management front-end (passwords, user names)
(browser) to the SAP NW Ap
plication Server (SAP Net
Weaver AS)
Project Management front- HTTP(S) Files
end (browser) to content or
cache servers
SAP NetWeaver AS to content HTTP(S) Metadata, files
or cache servers
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 351Communication Channel Communication Technology Data Transferred Comment/Security Recom
mendation
SAP NetWeaver AS to other RFC Metadata, files SAP Portfolio and Project
application servers (for exam Management communicates
ple, HR, CO) with 3rd party or SAP S/
4HANA systems to obtain or
create information on object
links between SAP Portfolio
and Project Management and
objects located in the 3rd
party/SAP system. The com
munication to 3rd party sys
tems has to be implemented
at the customer site. The 3rd
party/SAP system never calls
back.
For more information, see the
Setting Up Object Links sec
tion of the Configuration
Guide for SAP Portfolio and
Project Management.
SAP Portfolio and Project RFC Files, metadata
Management to Project Sys
tem (PS) component on a
separate system
SAP Portfolio and Project SAP ALE Files, metadata
Management to SAP HCM on
RFC
a separate system
Note
In SAP Portfolio and Project Management, there is no fixed port for communication and the firewall settings
described in the SAP NetWeaver Security Guide. For more information, see http://help.sap.com/s4hana
SAP S/4HANA SAP NetWeaver for SAP S/4HANA Security Guide Security Guides for SAP NetWeaver
Functional Units Security Guides for the Application Server Security Guides for the AS ABAP SAP
NetWeaver Application Server ABAP Security Guide Protecting Your Productive System (Change and
Transport System) .
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
Security Guide for SAP S/4HANA 1709
352 P U B L I C SAP S/4HANA Business ApplicationsFor more information, see http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver for SAP S/4HANA
Security Guide Network and Communication Security Transport Layer Security .
13.5.2.3.3 Network Security
SAP supports the installation of SAP Portfolio and Project Management within the intranet (for internal
collaboration only).
Installation Scenarios
Scenarios A and B can be used for SAP Portfolio and Project Management:
● Scenario A: No content server
● Scenario B: One hidden content server
Installation scenario B, with one hidden content server, is the installation scenario with the highest level of
security.
Scenario A: No Content Server
In scenario A, the complete installation consists only of SAP Portfolio and Project Management server (SAP
NetWeaver AS).
The server is located in the intranet.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 353Figure 5: Scenario A: No Content Server
Scenario B: One Hidden Content Server
In the second type of installation, one content server is added to the network environment.
For SAP Portfolio and Project Management, the SAP NetWeaver AS and the content server are both located in the
intranet.
Security Guide for SAP S/4HANA 1709
354 P U B L I C SAP S/4HANA Business ApplicationsFigure 6: Scenario B: One Hidden Content Server
13.5.2.3.4 Communication Destinations
For the default SAP Portfolio and Project Management scenarios, no RFC destination pointing to external systems
is required. However, if you are using the Project Management application programming interfaces (APIs) via the
SOAP wrapper, the APIs consist of RFC function modules.
SAP Portfolio and Project Management
● FI/CO integration / Accounting Integration
● Adobe Document Services (ADS)
● Object links to e.g. SAP R/3, SAP ERP
● HR integration
In the following areas, Portfolio Management RFCs are called from an external application:
● Project integration
The Project Management APIs are required for:
● Portfolio Management Integration
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 355● If a user needs to use the APIs they must have the basic RFC authorization for the relevant API function
modules. The SOAP wrapper adheres to the authorization rules that apply if the RFC module is called directly.
The function group name for Project Management is CPR_API.
To view the application-specific and basis authorization objects used in SAP Portfolio and Project Management,
see Authorizations [page 347].
For more information about authorization objects and roles, see http://help.sap.com/s4hana SAP S/4HANA
SAP NetWeaver for SAP S/4HANA Security Guide User Administration and Authentication User
Management Identity Management User and Role Administration of Application Server ABAP AS ABAP
Authorization Concept .
13.5.2.3.5 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For more
information about the services that are needed for SAP Portfolio and Project Management, see the Activating
Services section of the Configuration Guide for SAP Portfolio and Project Management.
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver for SAP S/4HANA
Function-Oriented View Application Server Application Server Infrastructure Functions and Tools of SAP
NetWeaver Application Server Connectivity Components of SAP Communication Technology
Communication Between ABAP and Non-ABAP Technologies Internet Communication Framework
Development Server-Side Development Creating and Configuring ICF Services Activating and Deactivating
ICF Services.
For more information about ICF security, see http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver
for SAP S/4HANA Security Guide Security Guides for Connectivity and Interoperability Technologies
RFC/ICF Security Guide. .
13.5.2.3.6 Data Storage Security
Data Storage
Note
In the default setting for SAP Portfolio and Project Management, data is protected using the ACL concept
already described in Authorizations [page 347]. A Web browser is required for both scenarios. However, no
cookies are used to store data on the front end.
Security Guide for SAP S/4HANA 1709
356 P U B L I C SAP S/4HANA Business ApplicationsData Protection
In SAP Portfolio and Project Management, data is mainly stored on the SAP NetWeaver Application Server (SAP
NetWeaver AS) database. An exception to this is when files are checked out for editing. In this case, files are
stored locally on the user’s hard drive and it is their responsibility to protect the files according to company
security policy.
Depending on which installation scenario you have chosen for SAP Portfolio and Project Management, files might
also be stored on content servers. For information about security measures to be taken in this case, see the
Network Security chapter of this document.
For more information about data protection, see the Data Protection chapter of this document.
13.5.2.3.7 Deletion of Personal Data
Use
SAP Portfolio and Project Management might process data (personal data) that is subject to the data protection
laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the
blocking and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on
the SAP Help Portal at http://help.sap.com/s4hana Product Assistance Cross Components Data
Protection .
Relevant Application Objects and Available Deletion Functionality
Table 193:
Application Detailed Description Provided Deletion Functionality
Portfolio Management For more information, see the Product Archiving Objects:
Assistance documentation for SAP Port ● RPM_PORT (Portfolios)
folio and Project Management under
● RPM_BUCKET (Buckets)
Archiving Portfolio and Project
Management Data. ● RPM_ITEM (Items)
● RPM_COLL (Collections)
● RPM_INIT (Initiatives)
● RPM_REVW (Reviews)
Project Management Archiving Objects:
● CDOCS_CONT (Documents)
● CPROJECTS (Projects)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 357Application Detailed Description Provided Deletion Functionality
Portfolio and Project Management Once a business partner is destructed Deletion program PPM_DPP_DELETE
using the central Business Partner appli
cation, all references of this particular
business partner to objects in Portfolio
Management and Project Management
must be removed.
Run the corresponding deletion program
on a regular basis.
Relevant Application Objects and Available EoP/WUC functionality
Table 194:
Application Implemented solution (EoP or WUC) Further Information
Portfolio and Project Management EoP Checks whether business partner data is
still needed for Portfolio and Project
Management processes.
● If a business partner is still needed:
next check date = initial
● If a business partner is no longer
needed and the end of residence
date is in the future (> today): next
check date = end of residence
● If a business partner is no longer
needed and the end of residence is
reached (<= today): next check
date = initial; start of retention date
is calculated
Use Business Add-In
PPM_BUPA_EOP_CHECK to implement a
customer-specific logic.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
Security Guide for SAP S/4HANA 1709
358 P U B L I C SAP S/4HANA Business Applications3. You do the following:
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA).
○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner.
4. Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and
CVP_UNBLOCK_MD.
6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of Portfolio and Project
Management.
For information about how to configure blocking and deletion for SAP Portfolio and Project Management, see
Configuration: Simplified Blocking and Deletion.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management under Data Protection Authorization Management .
For more information, see the Customizing documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner .
13.5.2.3.8 Security for Additional Applications
You can only (import or) export data to Microsoft Project if you have the required authorizations, see Access
Control Lists – Import and Export. The protection of this downloaded data is not part of the Project Management
security model. When the user saves the project to his or her hard drive, the system does not perform an
authorization check if somebody else opens the project again in Microsoft Project.
13.5.2.3.9 Other Security-Relevant Information
Import from Microsoft Excel
You can import projects from a Microsoft Excel file to Project Management. This enables you to transfer mass
data in a quick and easy manner.
If you want to restrict the import function, you have to make sure that only allowed users receive authorization for
transaction DPR_DX_PROJECT and report DPR_DX_PROJECT.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 359Moreover, you can import financial and/or capacity data from a Microsoft Excel file to financial and capacity
planning in Portfolio Management. To use this function, you require an ERP system, an appropriate client, user,
and password. This import is only allowed if the required authorization has been granted.
13.5.2.3.10 Security-Relevant Logging and Tracing
Floorplan Manager Message Logging to the Application Log
The Web Dynpro ABAP UI of SAP Portfolio and Project Management uses the Floor Plan Manager (FPM). The FPM
Message Manager has a connection to the ABAP application log and offers the option to write error messages
occurring in the FPM Message Manager also to the application log in the backend. To activate this feature, go to
transaction SAAB and activate the check point group FPM_RUNTIME_MESSAGES for your user or for all users in the
server.
For more information about FPM, see http://www.sdn.sap.com/irj/sdn/nw-ui under Custom UI
Development Web Dynpro ABAP Floorplan Manager (FPM) Developer''s Guide .
For more information about security in the ABAP area, see
● http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver for SAP S/4HANA Security Guide
Security Guides for SAP NetWeaver Functional Units Security Guides for the AS ABAP SAP NetWeaver
Application Server ABAP Security Guide
● http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver for SAP S/4HANA Security Guide
Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security
Guides for the AS ABAP SAP NetWeaver Application Server ABAP Security Guide Web Dynpro ABAP
Security Guide
Reports Logging to the Application Log
SAP Portfolio and Project Management logs application errors for background reports to transaction SLG1.
Background reports are executed in the areas of financial integration, migration, import from Microsoft Excel,
versioning, and replace user and resource. You can display these application logs via the objects RPM_DOCUMENT,
RPM_DX, RPM_INTEGRATION, RPM_MIGRATION, RPM_PLANNING, RPM_UC, RPM_VERSIONING, DPR_DX,
DPR_REPLACE_USER_BP.
Logon Attempts
For more information about logon attempts, see http://help.sap.com/s4hana SAP S/4HANA SAP
NetWeaver for SAP S/4HANA Security Guide Security Aspects for Lifecycle Management Auditing and
Logging The Security Audit Log .
Security Guide for SAP S/4HANA 1709
360 P U B L I C SAP S/4HANA Business ApplicationsChange Document
You can use change document to track changes of objects of Project Management and Portfolio Management. If
the function is active, the system also records changes to dependent objects. You can activate the change
document function for the following objects:
● Project Management
○ Checklist templates
○ Project templates
○ Projects
You can activate this function in Customizing for Project Management under Basic Settings Activate
Change Documents.
If the function is active for one of these main objects, changes to dependent objects are also recorded. For
example, if you select the indicator for the object category project, the system records all changes to the
project as well as to the following objects:
○ Project definitions
○ Phases
○ Tasks
○ Mirrored tasks
○ Checklists
○ Checklist items
○ Documents
○ Object links
○ Entity links
○ Business partner favorites
○ Business partner links
○ Roles
○ Approvals
○ Qualifications
○ Collaborations
○ Templates
The system only records changes to database table DPR_DOCUMENT. This table contains unusable document
attributes only.
The important attributes of the documents and files (such as name, location, and size) as well as the file
content are saved to the KPro storage system without the support of a change document function.
Project Management supports versioning for files instead of the change document function. To track the
changes, the user must always create a new document version. However, if he or she always overwrites the
existing version, it is not possible to track the changes.
Project Management supports evaluations for the following objects:
○ Project definitions
○ Phases
○ Tasks
○ Mirrored tasks
○ Checklists
○ Checklist items
○ Object links
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 361○ Entity links
○ Business partner links
○ Roles
● Portfolio Management
○ Portfolio
○ Bucket
○ Initiative
○ Item
○ Decision point
○ Review
○ Collection
○ What-if scenario
○ Relational associations of business objects
○ Financial and capacity category for bucket and item
In the standard system, this function is not activated.
You can activate this function in Customizing for Portfolio Management under Global Customizing
Process and Service Settings Activate Change Document .
The system does not record changes to the following objects:
● Project Management
○ Documents
● Portfolio Management
○ Long texts
○ Comments/notes
○ Documents
○ Financial and capacity planning values
For more information, see http://help.sap.com/s4hana SAP S/4HANA SAP NetWeaver for SAP S/4HANA
Security Guide
● Security Aspects for Lifecycle Management Auditing and Logging
● Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security
Guides for the AS Java SAP NetWeaver Application Server Java Security Guide Tracing and Logging.
13.5.3 Integrated Product Development for Discrete Industries
13.5.3.1 Classification Reuse UI Component
Security Guide for SAP S/4HANA 1709
362 P U B L I C SAP S/4HANA Business Applications13.5.3.1.1 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-by-
case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken
from any given legal source.
Table 195: Glossary
Term Definition
Personal Data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the
processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the pur
pose starts.
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:
● Access control: Authentication features as described in section User Administration and Authentication.
● Authorizations: Authorization concept as described in section Authorizations.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 363● Read access logging: as described in section Read Access Logging.
● Communication Security: as described in section Network and Communication Security.
● Availability control as described in:
○ Section Data Storage Security
○ SAP NetWeaver Database Administration documentation
○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-
Oriented View Solution Life Cycle Management SAP Business Continuity .
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept
Note
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system are
the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-
Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required. For
information about the application-specific configuration, see the application-specific Customizing in SPRO.
13.5.3.1.1.1 Data Privacy
The Classification Reuse UI Component must not process any sensitive personal data that is subject to the data
protection laws applicable in specific countries as described in SAP Note 1825544 .
Data Archiving and Deletion
Classification and characteristic data is dependent on the business object of the embedding application. You can
only archive or delete classification and characteristic data with the business object of the embedding application,
once the business object reaches its end of purpose. The embedding application is responsible for applying data
protection and privacy rules.
Characteristics Containing Sensitive Personal Data
Characteristics are not intended for storing any sensitive personal data.
Security Guide for SAP S/4HANA 1709
364 P U B L I C SAP S/4HANA Business Applications13.5.3.2 Advanced Variant Configuration
13.5.3.2.1 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-by-
case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken
from any given legal source.
Table 196: Glossary
Term Definition
Personal Data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the
processing of personal data. The assumption is that any pur
pose has an end that is usually already defined when the pur
pose starts.
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 365Term Definition
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:
● Access control: Authentication features as described in section User Administration and Authentication.
● Authorizations: Authorization concept as described in section Authorizations.
● Read access logging: as described in section Read Access Logging.
● Communication Security: as described in section Network and Communication Security.
● Availability control as described in:
○ Section Data Storage Security
○ SAP NetWeaver Database Administration documentation
○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-
Oriented View Solution Life Cycle Management SAP Business Continuity .
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept
Note
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system are
the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-
Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required. For
information about the application-specific configuration, see the application-specific Customizing in SPRO.
13.5.3.2.1.1 Data Privacy
The Advanced Variant Configuration UI must not process any personal data or sensitive personal data that is
subject to the data protection laws applicable in specific countries as described in SAP Note 1825544 .
Data Archiving and Deletion
Characteristic data is dependent on the business object of the embedding application. You can only archive or
delete characteristic data with the business object of the embedding application, once the business object
Security Guide for SAP S/4HANA 1709
366 P U B L I C SAP S/4HANA Business Applicationsreaches its end of purpose. The embedding application is responsible for applying data protection and privacy
rules.
Characteristics Containing Sensitive Personal Data
Characteristics are not intended for storing any personal data or sensitive personal data.
13.5.4 Product Lifecycle Management
13.5.4.1 Maintenance, Repair, and Overhaul
13.5.4.1.1 Authorizations (Specification 2000)
Specification 2000 (IS-ADEC-SPC) uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used:
Table 197:
Authorization Object Description
C_ADSPCIP Spec2000: Authorization object
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 36713.5.4.1.2 Deletion of Personal Data (Specification 2000)
Use
Specification 2000 (IS-ADEC-SPC) might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Relevant Application Objects and Available Deletion Functionality
Table 198:
Application Provided Deletion Functionality
Specification 2000 (IS-ADEC-SPC) Archiving Object
ADS2KIP_AR
ILM Object
ADS2KIP_AR
Report
AD_SCIP_ILM_DEL_01
Relevant Application Objects and Available EoP/WUC functionality
Table 199:
Application Implemented Solution (EoP or WUC) Further Information
Specification 2000 (IS-ADEC-SPC) EoP Checks tables EDP21, EDP13
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
Security Guide for SAP S/4HANA 1709
368 P U B L I C SAP S/4HANA Business Applications13.5.4.1.3 Deletion of Personal Data (Spare Parts Stock
Calculation)
Use
Spare Parts Stock Calculation (IS-ADEC-SPSC) might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 200:
Application Provided Deletion Functionality
Spare Parts Stock Calculation (IS-ADEC-SPSC) Report
AD_SPSC_ILM_DEL_01
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
13.5.4.1.4 Authorizations (Manufacturer Part Number)
Manufacturer Part Number (MPN) uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 369Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used:
Table 201:
Authorization Object Description
M_PIC_RIC Authorization for MPN Restricted Interchangeability
ADPIC_RIC Authorization object for MPN Restricted Interchangeability
M_PIC_EXCH Authorization for material exchange
13.5.4.1.5 Deletion of Personal Data (MPN)
Use
Manufacturer Part Number (IS-ADEC-MPN) might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available EoP/WUC functionality
Table 202:
Application Implemented Solution (EoP or WUC) Further Information
Manufacturer Part Number (IS-ADEC- EoP Checks table MARA-MFRPN
MPN)
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
Security Guide for SAP S/4HANA 1709
370 P U B L I C SAP S/4HANA Business Applications13.6 Sales
13.6.1 Authorizations in Sales
Sales uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and
guidelines for authorizations as described in the SAP NetWeaver Security Guide also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG).
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Business Roles
Business roles denote a role of a persona, for example, Administrator or Internal Sales Representative. They are an
aggregation of the applications relevant for a certain persona.
In SAP S/4HANA, business roles are technically represented by single roles. They exist on the front-end server
and do not contain authorizations. They serve demonstration purposes and trial use cases. You would typically
create your own business roles as single roles or composite roles in the transaction PFCG. Assigning the required
back-end authorizations is a separate step which is performed in the transaction in PFCG of the corresponding
back-end clients.
Sales and Distribution
The following table shows the business roles used by Sales and Distribution (SD) as template roles:
Table 203:
Role Description
SAP_BR_BILLING_CLERK Billing Clerk
SAP_BR_INTERNAL_SALES_REP Internal Sales Representative
SAP_BR_PRICING_SPECIALIST Pricing Specialist
SAP_BR_SALES_MANAGER Sales Manager
SAP_BR_SALES_PROCESS_MANAGER Order-to-Cash Process Manager
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 371Role Description
SAP_BR_RETURNS_REFUND_CLERK Returns and Refund Clerk
Standard Authorization Objects
Sales and Distribution
The following table shows the main security-relevant authorization objects used by Sales and Distribution (SD):
Table 204:
Authorization Object Description
V_KNA1_BRG Customer: Account Authorization for Sales Areas
V_KNA1_VKO Customer: Authorization for Sales Organizations
V_KONH_VKO Condition: Authorization for Sales Organizations
V_KONH_VKS Condition: Authorization for Condition Types
V_VBAK_AAT Sales Document: Authorization for Sales Document Types
V_VBAK_VKO Sales Document: Authorization for Sales Areas
V_VBRK_FKA Billing: Authorization for Billing Types
V_VBRK_VKO Billing: Authorization for Sales Organizations
POC_AUTH Process Observer: Process Instance
POC_DEFN Process Observer: Process Definition
Global Trade Management
The following table shows the security-relevant authorization objects used by Global Trade Management (GTM):
Table 205:
Authorization Object Description
W_WBGT_FIX GTM: Setup of Enhancement Table WBGT
W_WBHK_ORG Trading Contract: Authorization for Organizational Data
W_WBHK_TCT Trading Contract: Authorization for Trading Contract Type
W_WTEW Authorizations for Trading Execution Workbench
WB2_SHD_UI Assignments: Authorization for shadow document types
Security Guide for SAP S/4HANA 1709
372 P U B L I C SAP S/4HANA Business ApplicationsMore Information
For authorization information about Shipping (LE-SHP), see Authorizations in Logistics Execution [page 418].
13.6.2 Communication Channel Security
The information below shows the communication channels used, the protocol used for the connection, and the
type of data transferred.
Connection to an External Global Trade Services System
You can connect Global Trade Management to an external Global Trade Services (GTS) system in order to check
whether the contract data for Global Trade Management adheres to the prevailing legal requirements (import/
export controls, global trade data).
Table 206:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
SAP S/4HANA system – GTS RFC Application data n/a
system
All users in the SAP S/4HANA system can call the functions on the GTS server using an RFC entry. In this RFC
entry, you specify a user that is used uniquely for communication with GTS. Assign this communication user to
the following roles for SAP Compliance Management.
Table 207: Roles for Compliance Management
Role Description
/SAPSLL/LEG_ARCH GTS Archiving
/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist
/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist
/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist
/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services
security.
Note
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 373For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security
Guide.
13.6.3 Deletion of Personal Data
Use
The Sales application might process data (personal data) that is subject to the data protection laws applicable in
specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion
of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at
http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 208:
Application Provided Deletion Functionality
Sales Documents Archiving object SD_VBAK
Billing Documents Archiving object SD_VBRK
Agreements and Related Conditions Archiving object SD_AGREEM
Conditions Archiving object SD_COND
Sales Documents Data destruction object SD_BNAME_VA_DESTRUCTION
Billing Documents Data destruction object SD_BNAME_VF_DESTRUCTION
Empties Management Data destruction object BEV1_EMBD,
Data destruction object BEV1_EMFD
For more information about application objects and deletion functionality, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance
Enterprise Business Applications Sales . You can find the information under the following:
● Data Archiving in Sales and Distribution (SD)
● Data Destruction in Sales and Distribution (SD)
Security Guide for SAP S/4HANA 1709
374 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available EoP Functionality
Table 209:
Application Implemented Solution (EoP or WUC) Further Information
Sales and Distribution (SD) EoP check This includes the business in the areas
of:
● Sales
● Billing
● Outbound Delivery Processing
● Empties Management
Configuration: Simplified Blocking and Deletion
● You configure the settings related to the blocking and deletion of customer and supplier master data in
Customizing under Logistics - General Business Partner Deletion of Customer and Supplier Master
Data .
● You execute the rebuild of retention information in Customizing under Sales and Distribution Data
Transfer, Data Aging, and Archiving Archiving Data Rebuilding of Retention Information in SD .
● You can enhance the EoP check in Customizing under Sales and Distribution System Modifications
Business Add-In BAdI: Enhancements for End of Purpose Check .
13.6.4 Global Trade Management
13.6.4.1 Authorizations
The component Global Trade Management (LO-GT) uses the authorization concept that is provided by SAP
NetWeaver AS for ABAP or AS Java. The security guidelines and policies for authorizations that are described in
SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java are therefore also valid for
this component.
The SAP NetWeaver authorization concept stipulates that authorizations are assigned to users on the basis of
roles. For role maintenance, use the Profile Generator (transactionPFCG) on AS ABAP, and the user
administration console of the User Management Engine on AS Java.
Note
For more information about creating roles, see the respective application help for the role generator and the
user administration console.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 375You can implement the following PFCG standard role for component Global Trade Management:
Table 210:
Description Technical Name
LO - Global Trade Management SAP_EP_LO_WB20N
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 211:
Authorization Object Field Value Description
W_WBHK_ORG Organizational Data 01 Create or generate Trading contract: Authoriza
tion for organizational data
02 Change
03 Display
04 Print, edit messages
07 Activate, generate
24 Archive
25 Reload
43 Release (*)
W_WBHK_TCT Trading Contract Type 01 Create or generate Trading contract: Authoriza
tion for trading contract type
02 Change
03 Display
04 Print, edit messages
07 Activate, generate
24 Archive
25 Reload
43 Release (*)
(*) To check this activity, you must explicitly activate the check as required.
Security Guide for SAP S/4HANA 1709
376 P U B L I C SAP S/4HANA Business Applications13.6.4.2 Network and Communication Security
General
Your network infrastructure is extremely important in protecting your system.
Communication Channel Security
Connection to an SAP FSCM System
For Global Trade Management (EA-GLTRADE), you have the option to use an external SAP FSCM system to create
forward exchange transactions. If you install SAP FSCM on a separate system, you require an RFC connection. If
you install SAP FSCM together with Global Trade Management on one system, no RFC connection is necessary.
Table 212:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
SAP ERP system - SAP FSCM RFC Application data -
system (Financial Supply
Chain Management)
RFC connections can be protected using Secure Network Communications (SNC). For more information about
setting up the RFC connection, and the prerequisites (authorizations), see Customizing for ERP under Logistics
General Global Trade Management Currency Hedging Maintain RFC Destination of CFM System . For more
information about encryption, see the SAP NetWeaver Security Guide in section Network and Communication
Security Transport Layer Security .
Connection to an External Global Trade Services (GTS) System
For Global Trade Management (EA-GLTRADE), you have the option to connect an external GTS system. You can
then check whether the contract data from Global Trade Management corresponds to the existing legal
requirements (import/export control, foreign trade data).
Table 213:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
SAP ERP system - GTS sys RFC Application data -
tem
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 377The call of the functions on the GTS server takes place for all users in the SAP ECC system via an RFC entry. In
this RFC entry, you specify a purely communications user for GTS. Give this communications user the following
roles for SAP Compliance Management:
Table 214:
Role Description
/SAPSLL/LEG_ARCH GTS Archiving
/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist
/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist
/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist
/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication
The RFC connections can be protected using Secure Network Communications (SNC). For more information
about encryption, see the SAP NetWeaver Security Guide in section Network and Communication Security
Transport Layer Security .
13.6.4.3 Deletion of Personal Data
Use
The Global Trade Management (LO-GT) application might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 215:
Application Object Detailed Description Provided Deletion Functionality
Trading Contract Archiving Trading Contract (LO-GT) Archiving object WB2
Report:
WB2_UPDATE_EOP_FROM_ARCHIVE.
Security Guide for SAP S/4HANA 1709
378 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available EoP/WUC functionality
Table 216:
Application Implemented Solution Further Information
Global Trade Management: EoP check This includes the business in the areas
● LO-GT-PM of:
● LO-GT-TE Trading Contract (LO-GT-TC)
● LO-GT-TEW
● LO-GT-TC
Configuration: Simplified Blocking and Deletion
You configure the settings the related to the blocking and deletion of customer and supplier master data in
Customizing for Logistics - General under Business Partner Deletion of Customer and Supplier Master Data. .
13.6.5 Commodity Sales
13.6.5.1 Deletion of Personal Data
Use
Commodity Procurement and Commodity Sales might process data (personal data) that is subject to the data
protection laws applicable in specific countries as described in SAP Note 1825544 .
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal under Product
Assistance Cross Components Data Protection .
Please note that Commodity Procurement and Commodity Sales do not use SAP Information Lifecycle
Management (ILM).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 379Relevant Application Objects and Available Deletion Functionality
Table 217:
Application Objects Provided Deletion Functionality
BRFplus Decision Table Entries for CPE Formula Assembly See Section BRFplus Decision Table Entries for CPE Formula
Assembly below
Pricing Condition Records in CPE Formula Assembly See section Pricing Conditon Records for CPE Formula Assem
bly below
Records of Versioned Logistics Pricing Data Persistency See section Versioned Logistics Pricing Data Persistency be
low
BRFplus Decision Table Entries for CPE Formula Assembly
In the Commodity Pricing Engine (CPE), the Formula Assembly (FA) is used for logistics document items like sales
order items or purchase order items to create default settings as, for example, the formula ID. These settings
depend on properties of the underlying logistics document such as the vendor/customer, organizational and
material data.
The Business Rules Framework plus (BRFplus) is used to implement rules for entering these settings. To use
decision tables in BRFplus (as recommended by SAP), the required BRFplus content is provided (BRFplus
application, BRFplus functions which use BRFplus decision tables). The standard content includes, for example,
decision tables, which require customer or vendor, material and other input fields, and the formula ID as result
field. Decision tables can contain customer or vendor data, which eventually need to be deleted.
In the deletion report RCPE_BRF01 (Delete BRFplus Decision Table Entries for CPE Formula Assembly) you enter a
selected customer or vendor. When selecting the test mode, the report checks, whether the entered customer or
vendor exists in the system, and whether he is blocked. After this, the report checks all BRFplus decision tables in
BRFplus applications used for the Formula Assembly, and displays the respective row numbers of the BRFplus
decision tables and the column containing the selected customer or vendor. If the Test Mode flag is not set, the
report deletes all entries found, and creates an application log entry for object CMM and subobject DPP_FA_BRF
(transaction SLG1).
The Customizing settings can be found in the SAP Implementation Guide under Sales and Distribution Basic
Functions Commodity Pricing Settings for Formula Assembly Assign BRFplus Application to Pricing
Procedure or Materials Management Purchasing Commodity Pricing Settings for Formula Assembly
Assign BRFplus Application to Pricing Procedure .
Pricing Condition Records in CPE Formula Assembly
1. Precheck
Security Guide for SAP S/4HANA 1709
380 P U B L I C SAP S/4HANA Business ApplicationsCondition records are stored in table /1CN/CVFSAPI0FOR and used for the formula key determination. To
check all tables of the formula assembly for customers or vendors used, enter the prefixes /1CN/CVF for
Commodity Sales and /1CN/CMF for Commodity Procurement.
To check and process pricing conditions for the formula assembly, you can use the transactions
MCPE_FA_GCM (for Commodity Procurement) and VCPE_FA_GCM (for Commodity Sales).
2. Deletion
To delete entries for a selected customer or vendor, perform report RCPE_CT01.
Select, for example, table /1CN/CVFSAPI0FOR as identified in the step before, and enter the customer for a
Commodity Sales-relevant table. When choosing the test mode, the report will display all entries of
table /1CN/CVFSAPI0FOR, which would be deleted.
To display deleted entries, perform transaction SLG1 for object CMM and subobject DDP_FA_AP.
To delete all entries of the selected table , select the Delete complete content indicator.
Note: Condition tables used for the CPE Formula Assembly must allways be selected and processed
individually.
Versioned Logistics Pricing Data Persistency
Transaction CMM_DEL_DOC_VERSIONS allows you to delete all records of the versioned logistic pricing data
persistency (table CMM_VLOGP), which are stored for a certain blocked customer/vendor.
Transaction CMM_DEL_DOC_VERSIONS allows you to update all records of the versioned logistic pricing data
persistency (table CMM_VLOGP), which are stored for a certain blocked customer/vendor in a way that the
identifier of the respective customer/vendor is masked with a blank space.
The authorization to perform this transaction is checked by the authorization object S_TCODE, and explicitly in
the underlying report. It is ensured that, even if the report is performed by transaction SA38, only authorized
experts can execute it. In addition, the authorization object CMM_VLOGP is checked by activity 06 (Delete). This
enables the authorized user to delete records from the versioned logistic pricing data persistency (table
CMM_VLOGP).
Note: It is checked, whether the entered customer is used as Sold-to-Party and/or Ship-to-Party. Records are
deleted and masked accordingly.
This transaction must be performed to mask or to delete records as soon as a certain customer or vendor is
blocked.
Relevant Application Objects and Available EoP/WUC Functionality
Table 218:
Application Implemented Solution (EoP or WUC) Further Information
n/a n/a n/a
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 38113.6.5.2 Information Report
Use
Commodity Procurement and Commodity Sales provide information about stored personal data in the versioned
persistency of logistics pricing data (VLOGP).
Versioned Persistency of Logistics Pricing Data
To display information about stored personal data in in the versioned persistency of logistics pricing data (VLOGP)
of Commodity Procurement and Commodity Sales, run transaction CMM_DEL_DOC_VERSIONS.
The authorization to perform this transaction is checked by the authorization object S_TCODE, and in the
underlying report. It is ensured that, even if the report is launched by transaction SA38, only authorized experts
can execute it.
In case of blocked customers, vendors, business partners, the authorization object B_BUP_PCPT (actvitity 03) is
additionaly checked.
Table 219:
Table / Business Object Archiving Object Personal Data
CMM_VLOGP n/a LIFNR, KUNNR, KUNWE
13.7 Service
13.7.1 Warranty Management
Security Guide for SAP S/4HANA 1709
382 P U B L I C SAP S/4HANA Business Applications13.7.1.1 Authorizations
Warranty (LO-WTY) uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore, the
recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 220:
Authorization Object Description
C_WTY_ACT Warranty: Actions Authorization Object
C_WTY_OBJ Warranty: Process Object Authorization Object
C_WTY_STAT Warranty: Status Authorization Object
13.7.1.2 Deletion of Personal Data
Use
Warranty (LO-WTY) might process data (personal data) that is subject to the data protection laws applicable in
specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion
of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at
http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 383Relevant Application Objects and Available Deletion Functionality
Table 221:
Application Provided Deletion Functionality
Warranty (LO-WTY) Archiving Object
WTY_CLAIM
ILM Object
WTY_CLAIM
Relevant Application Objects and Available EoP/WUC functionality
Table 222:
Application Implemented Solution (EoP or WUC) Further Information
Warranty (LO-WTY) EoP check Checks tables:
PNWTYH, PNWTYV
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
13.8 Sourcing and Procurement
13.8.1 Authorizations
Front-End Roles
To use the Fiori Launchpad in SAP S/4HANA, you have to apply the SAP S/4HANA role concept based on
business catalogs that are assigned to business roles. For the front-end, the following standard business roles are
available for Sourcing and Procurement. You can use these roles as templates for your own roles. For more
information, see the SAP S/4HANA UI Technology Guide at the SAP Help Portal under http://help.sap.com/
s4hana_op_1709 Product Documentation .
Security Guide for SAP S/4HANA 1709
384 P U B L I C SAP S/4HANA Business ApplicationsTable 223: Business Roles
Role Description
SAP_BR_AP_ACCOUNTANT_PROCUREMT Accounts Payable Accountant - Procurement
SAP_BR_BUYER Strategic Buyer
SAP_BR_EMPLOYEE_PROCUREMENT Employee - Procurement
SSAP_BR_PURCHASER Purchaser
SAP_BR_PURCHASING_MANAGER Purchasing Manager
Back-End Roles
In the back-end, you have to create roles in transaction PFCG and assign business catalogs to the roles. For more
information, see the SAP S/4HANA UI Technology Guide at the SAP Help Portal under http://help.sap.com/
s4hana_op_1709 Product Documentation .
If you have converted your system from SAP ERP to SAP S/4HANA, you may still be accessing transactions via
the SAP Easy Access menu. To support this case, the standard role templates for back-end roles are still available
and are listed below:
Table 224: Back-End Roles (Relevant for System Converted from SAP ERP)
Role Description
SAP_MM_PUR_ADDITIONAL_FUNC Non-Assigned Purchasing Functions
SAP_MM_PUR_ARCHIVE Archive Purchasing Documents
SAP_MM_PUR_ARCHIVE_LISTS Analyses Using the Purchasing Archive
SAP_MM_PUR_CONDITIONS Conditions in Purchasing - Overview
SAP_MM_PUR_CONDITIONS_DISCOUNT Discounts in Purchasing
SAP_MM_PUR_CONDITIONS_PRICES Prices in Purchasing
SAP_MM_PUR_CONFIRMATION Confirmations
SAP_MM_PUR_CONTRACT_LISTS Lists for Outline Agreements
SAP_MM_PUR_CONTRACT_MESSAGE Output Outline Agreements
SAP_MM_PUR_CONTRACT_MESSAGE_MT General Message Maintenance for Outline Agreements
SAP_MM_PUR_CONTRACT_RELEASE Release Outline Agreements
SAP_MM_PUR_CONTRACTING Process Contracts
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 385Role Description
SAP_MM_PUR_DISPLAY_OBJECTS General Display Functions in Purchasing
SAP_MM_PUR_GENERAL General Functions in Purchasing
SAP_MM_PUR_INFORECORD Maintain Purchasing Info Record
SAP_MM_PUR_INFORECORD_LISTS Lists of Purchasing Info Records
SAP_MM_PUR_LIS_GENERAL General Analyses for LIS
SAP_MM_PUR_LIS_SERVICE LIS Analyses for Services
SAP_MM_PUR_LIS_STOCK_MATERIAL LIS Analyses for Stock Material
SAP_MM_PUR_LIS_VE LIS Analyses for Vendor Evaluation
SAP_MM_PUR_LISTS_GENERAL General Analyses in Purchasing
SAP_MM_PUR_MASS_CHANGE Mass Maintenance in Purchasing
SAP_MM_PUR_MESSAGE Output Purchasing Documents
SAP_MM_PUR_MESSAGE_MAINTENANCE General Message Maintenance in Purchasing
SAP_MM_PUR_MPN_AMPL Approved Manufacturer Parts
SAP_MM_PUR_MPN_AMPL_ARCHIVE Archive Approved Manufacturer Parts List
SAP_MM_PUR_NEGOTIATION_LISTS Lists for Purchasing Negotiations
SAP_MM_PUR_PO_RELEASE Release Purchase Orders
SAP_MM_PUR_PR_LISTS Lists of Purchase Requisitions
SAP_MM_PUR_PR_RELEASE Release Purchase Requisitions
SAP_MM_PUR_PURCHASEORDER Process Purchase Orders
SAP_MM_PUR_PURCHASEORDER_LISTS Lists of Purchase Orders
SAP_MM_PUR_PURCHASEREQUISITION Process Purchase Requisitions
SAP_MM_PUR_QUOTA_ARRANGEMENT Maintain Quota Arrangement
SAP_MM_PUR_QUOTA_MAINTENANCE Revise Quota Arrangement
SAP_MM_PUR_QUOTATION Maintain Quotation
SAP_MM_PUR_RFQ Process Request for Quotation
SAP_MM_PUR_RFQ_LISTS Lists of Requests for Quotations
Security Guide for SAP S/4HANA 1709
386 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_MM_PUR_SCHEDULE Maintain Scheduling Agreement Delivery Schedules and Re
leases
SAP_MM_PUR_SCHEDULE_MAINTENANC Administer Scheduling Agreements
SAP_MM_PUR_SCHEDULEAGREEMENT Process Scheduling Agreements
SAP_MM_PUR_SERVICE Service Entry Sheet
SAP_MM_PUR_SERVICE_CONDITIONS Service Conditions for Service
SAP_MM_PUR_SERVICE_LISTS Lists of Service Entry Sheets
SAP_MM_PUR_SERVICE_TRANSFER Data Transfer for Services
SAP_MM_PUR_SOURCE_LIST Maintain Source List
SAP_MM_PUR_SRV_CONDITIONS_GEN Service Conditions for Services (General)
SAP_MM_PUR_SRV_MODEL_SPEC Maintain Model Service Specifications
SAP_MM_PUR_SRV_STANDARD_SPEC Maintain Standard Service Specifications
SAP_MM_PUR_SRV_VENDOR_COND Service Conditions for Vendor
SAP_MM_PUR_SRV_VENDOR_PLANT_CO Service Conditions for Vendor and Plant
SAP_MM_PUR_SUPPLIER_LOGISTICS Logistics information for the vendor on the Internet
SAP_MM_PUR_TAXES Taxes in Purchasing
SAP_MM_PUR_VE Maintain Vendor Evaluation
SAP_MM_PUR_VE_LISTS Lists of Vendor Evaluations
SAP_MM_PUR_VE_MAINTENANCE Vendor Evaluation in the Background
SAP_MM_PUR_VENDOR_PRICE Change Prices for Vendor
SAP_MM_PUR_SOURCE_LIST Maintain Source List
SAP_AUDITOR_BA_MM_PUR This transaction role allows evaluations to be collected, struc
tured, and configured for the audit area:
● Business Audit - Process View
● Purchasing: From Purchase Order to Outgoing Payment
● Purchasing
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 387Role Description
SAP_AUDITOR_BA_MM_PUR_A This role provides read access for the audit area:
● Business Audit - Process View
● Purchasing: From Purchase Order to Outgoing Payment
● Purchasing
SAP_MM_IV_CLERK_BATCH1 Enter Invoices for Verification in the Background
SAP_MM_IV_CLERK_BATCH2 Manual Processing of Invoices Verified in the Background
SAP_MM_IV_CLERK_GRIR_MAINTAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_GRIR_MAITAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_ONLINE Online Invoice Verification
SAP_MM_IV_CLERK_PARK Park Invoices
SAP_MM_IV_CLERK_RELEASE Invoice Release
SAP_MM_IV_SUPPLIER_FINANCE Settlement Information for Vendor (External Supplier) on the
Internet
SAP_MM_IV_CLERK_AUTO Automatic Settlements
SAP_AUDITOR_BA_MM_IV This transaction role allows evaluations to be collected, struc
tured, and configured for the audit area:
● Business Audit - Individual Account Closing
● Profit and Loss Statement
● Material Expense
SAP_AUDITOR_BA_MM_IV_A This authorization role provides read access for the audit
area:
● Business Audit - Individual Account Closing
● Profit and Loss Statement
● Material Expense
Standard Authorization Objects
The table below shows the security-relevant authorization objects that you can use in SAP S/4HANA when you
create back-end roles. These objects were also used in the above listed standard back-end roles.
Security Guide for SAP S/4HANA 1709
388 P U B L I C SAP S/4HANA Business ApplicationsTable 225:
Authorization Object Description
M_AMPL_ALL Approved Manufacturer Parts List
M_AMPL_WRK Approved Manufacturer Parts List - Plant
M_ANFR_BSA Document Type in RFQ
M_ANFR_EKG Purchasing Group in RFQ
M_ANFR_EKO Purchasing Organization in RFQ
M_ANFR_WRK Plant in RFQ
M_ANFR_LGO Storage Locations in RFQ
M_ANGB_BSA Document Type in Quotation
M_ANGB_EKG Purchasing Group in Quotation
M_ANGB_EKO Purchasing Organization in Quotation
M_ANGB_WRK Plant in Quotation
M_ANGB_LGO Storage Locations in Quotation
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_FRG Release Code in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BANF_LGO Storage Location in Purchase Requisition
M_BEST_BSA Document Type in Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_BEST_LGO Storage Location in Purchase Order
M_EINF_EKG Purchasing Group in Purchasing Info Record
M_EINF_EKO Purchasing Organization in Purchasing Info Record
M_EINF_WRK Plant in Purchasing Info Record
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 389Authorization Object Description
M_EINK_FRG Release Code and Group (Purchasing)
M_LFM1_EKO Purchasing Organization in Vendor Master Record
M_LIBE_EKO Vendor Evaluation
M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule
M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Sched
ule
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_LPET_WRK Plant in Scheduling Agreement Delivery Schedule
M_LPET_LGO Storage Location in Scheduling Agreement Delivery Schedule
M_ORDR_EKO Purchasing Organization in Source List
M_ORDR_WRK Plant in Source List
M_QUOT_EKO Purchasing Organization (Quotas)
M_QUOT_WRK Plant (Quotas)
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement
M_RAHM_WRK Plant in Outline Agreement
M_RAHM_LGO Storage Location in Outline Agreement
M_RAHM_STA Status in Contract
M_SRV_LS Authorization for Maintenance of Service Master
M_SRV_LV Authorization for Maintenance of Model Serv. Specifications
M_SRV_ST Authorization for Maintenance of Standard Service Catalog
S_ME_SYNC Mobile Engine: Synchronization of Offline Applications
V_KONH_EKO Purchasing Organization in Master Condition
M_TEMPLATE Create/Change/Delete Public Templates
M_POIVVEND Read Invoices of a Vendor
Security Guide for SAP S/4HANA 1709
390 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
CMM_MEV_WL CMM: Worklist
CMM_MEV_AD CMM: Accrual Document
M_RECH_BUK Invoices: Company Code
M_RECH_CPY Copy Invoice: Company Code
M_RECH_WRK Invoices: Plant
M_RECH_AKZ Invoices: Accept Invoice Verification Differences Manually
M_RECH_EKG Invoice Release: Purchasing Group
M_RECH_SPG Invoices: Blocking Reasons
M_RECH_UPL Invoice: Upload
F_BKPF_BUK Accounting Document
13.8.2 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
Materials Management saves data in files in the file system. Therefore, it is important to explicitly provide access
to the corresponding files in the file system without allowing access to other directories or files (also known as
directory traversal). This is achieved by specifying logical paths and file names in the system that map to the
physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that
does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by Materials Management and for which programs
these file names and paths apply:
Logical File Names Used
The following logical file names have been created in order to enable the validation of physical file names:
● MM_PURCHASING_INFORECORDS_NEW
○ Programs using this logical file name and parameters used in this context:
○ RM06IBIS
○ RM06IBIE
● MM_PURCHASING_REQUISITIONS_NEW
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 391○ Programs using this logical file name:
○ RM06BBIS
○ RM06BBIE
● SAP_SOURCING_CUSTOMIZING_DOWNLOAD_FILE
○ Programs using this logical file name:
○ BBP_ES_CUST_DOWNLOAD
Logical Path Names Used
The logical file names MM_PURCHASING_INFORECORDS_NEW and MM_PURCHASING_REQUISITIONS_NEW
use the logical file path MM_PUR_ROOT. The logical file name
SAP_SOURCING_CUSTOMIZING_DOWNLOAD_FILE uses the logical file path
SAP_SOURCING_CUSTOMIZING_DOWNLOAD.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To add the aliases
for the view V_FILEALIA, use transaction SM31.
For more information, see about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
Using Data Storage Security
Check whether the conditions are classified as sensitive data. You can protect conditions with the following
authorization objects:
Table 226:
Authorization Object Description
V_KONH_EKO Purchasing Organization in Master Condition
V_KONH_VKS Condition: Authorization for Condition Types
Security Guide for SAP S/4HANA 1709
392 P U B L I C SAP S/4HANA Business ApplicationsPrices are also potential sensitive data. You can protect the display authority for prices with the value 09 of the
authorization field ACTVT (Activity) of the purchasing document-specific authorization objects listed below:
Table 227:
Authorization Object Description
M_ANFR_BSA Document Type in RFQ
M_ANFR_EKG Purchasing Group in RFQ
M_ANFR_EKO Purchasing Organization in RFQ
M_ANGB_BSA Document Type in Quotation
M_ANGB_EKG Purchasing Group in Quotation
M_ANGB_EKO Purchasing Organization in Quotation
M_BEST_BSA Document Type in Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_BEST_LGO Storage Location in Purchase Order
M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule
M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Sched
ule
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement
M_RAHM_WRK Plant in Outline Agreement
M_RAHM_LGO Storage Location in Outline Agreement
13.8.3 Other Security-Relevant Information
Open Catalog Interface
Use
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 393The Open Catalog Interface (OCI) incorporates external product catalogs into SAP S/4HANA applications using
Hyper Text Transfer Protocol (HTTP). This way, the data required to create purchasing document items in SAP S/
4HANA can be transferred directly from the external catalog to the SAP S/4HANA application.
Reason and Prerequisites
SAP S/4HANA and the catalog communicate via HTTP/HTTPS URL parameters. It is possible for an end user to
identify these parameters and also change them using specialized tools. Security depends heavily on the fact
whether the catalogue system resides before or behind the firewall.
Solution
SAP recommends the following to the customers who wish to integrate SAP S/4HANA and catalogs using Open
catalog Interface (OCI):
● Double check the values transferred from the catalogue into the SAP S/4HANA application manually. Check
whether the values are the same one as the one in the catalogue.
● In addition to that, authority checks are happening on SAP S/4HANA side: the application checks whether the
user is allowed to change the data on SAP S/4HANA side which is transferred from the catalogue.
Example: if a price is transferred from the catalogue into the purchasing document, the system checks
whether the user has the authority to change the price in the purchasing document in general.
● To prevent end users from sniffing the catalog login data (User names, password), avoid specifying the login
information in the OCI Catalog configuration in Customizing. Instead, configure the catalog to accept
individual user authentication information from the end user. This can be done in the form of SSO (Single
Sign-On) tools, Digital Certificates or Individual Login Information (User name/password). These features are
dependent upon whether the Catalog provider supports the above mentioned features to logon.
You define the setting for the OCI in Customizing for Materials Management under Purchasing Environment
Data Web Services: ID and Description .
Security-Relevant Logging and Tracing
Use
Purchasing uses change documents to track changes made to purchasing documents. This includes changes to
security-sensitive data such as prices. The following authorization objects specific to purchasing documents allow
the restriction of the visibility of those change documents using the value 08 of the authorization field ACTVT
(Activity):
Table 228:
Authorization Object Description
M_ANFR_BSA Document Type in RFQ
M_ANFR_EKG Purchasing Group in RFQ
M_ANFR_EKO Purchasing Organization in RFQ
M_ANFR_WRK Plant in RFQ
Security Guide for SAP S/4HANA 1709
394 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
M_ANFR_LGO Storage Locations in RFQ
M_ANGB_BSA Document Type in Quotation
M_ANGB_EKG Purchasing Group in Quotation
M_ANGB_EKO Purchasing Organization in Quotation
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_FRG Release Code in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BANF_LGO Storage Location in Purchase Requisition
M_BEST_BSA Document Type in Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_BEST_LGO Storage Location in Purchase Order
M_EINF_EKG Purchasing Group in Purchasing Info Record
M_EINF_EKO Purchasing Organization in Purchasing Info Record
M_EINF_WRK Plant in Purchasing Info Record
M_LFM1_EKO Purchasing Organization in Vendor Master Record
M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule
M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Sched
ule
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_ORDR_EKO Purchasing Organization in Source List
M_ORDR_WRK Plant in Source List
M_QUOT_EKO Purchasing Organization (Quotas)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 395Authorization Object Description
M_QUOT_WRK Plant (Quotas)
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement
M_RAHM_WRK Plant in Outline Agreement
M_RAHM_LGO Storage Location in Outline Agreement
M_RAHM_STA Status in Contract
13.8.4 Deletion of Personal Data
Use
Purchasing (MM-PUR), Invoice Verificaton (MM-IV), and Supplier and Category Management might process data
(personal data) that is subject to the data protection laws applicable in specific countries. You can use SAP
Information Lifecycle Management (ILM) to control the blocking and deletion of personal data.
Business partner master data can be blocked as soon as business activities that use this data are completed and
the residence period for the data has elapsed; after this time, only users with additional authorizations can access
this data. In Sourcing and Procurement, different app types have different ways of allowing authorized users (who
must have the role BR_EXTERNAL_AUDITOR) to display the blocked supliers. For the business documents listed
below, users with this role can choose between the listed options:
Table 229: Blocked Documents and Display Options
Business Document Display Options for Blocked Documents
● Purchase requisition ● Using the "Advanced" or "Professional" versions of the
● Purchase order Fiori apps, if available
● Accessing the corresponding transactions in the SAP
● Purchase contract
● Scheduling agreement Fiori Launchpad via the Me area App Finder SAP
● Shopping cart Menu
● Using the corresponding SAP GUI transactions in the
● Purchasing info record back-end system
If users with the BR_EXTERNAL_AUDITOR role want to display blocked suppliers in the Manage Quota
Arrangements app or in the Manage Supplier Invoices app, they can do so directly in the Fiori app.
In apps of Supplier and Category Management, all entries related to blocked suppliers are displayed as Blocked
Supplier, and all supplier-related links are disabled. Evaluation scorecards for the blocked suppliers are not
displayed in the scorecards list in the Display Scorecards app. The standard Web Dynpro apps can be used to
Security Guide for SAP S/4HANA 1709
396 P U B L I C SAP S/4HANA Business Applicationsdisplay the blocked data. For more information, see the section Supplier and Category Management Deletion
of Personal Data .
When the retention period for data expires, personal data of the business partner can be destroyed completely so
that it can no longer be retrieved. Retention periods must be defined in the customer system.
For more information about blocking of data, see the product assistance for SAP S/4HANA on the SAP Help
Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 230:
Application Object Detailed Description Provided Deletion Functionality
Purchase Requisitions Archiving Purchase Requisitions (MM- Archiving object MM_EBAN
PUR)
Purchasing Documents Archiving Purchasing Documents (MM- Archiving object MM_EKKO
PUR)
Purchasing Info Records Archiving Purchasing Info Records (MM- Archiving object MM_EINA
PUR)
Invoice Documents Archiving Invoice Documents (MM-IV) Archiving object MM_REBEL
For documentation about application objects and deletion functionality, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance
Enterprise Business Applications Sourcing and Procurement Materials Management (MM) Data Archiving
in Materials Management (MM) .
Prerequisite: End of Purpose Check
Before objects can be archived, and end of purpose check must be performed. For more information, see the
product assistance for SAP S/4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under
Product Assistance Enterprise Business Applications Sourcing and Procurement Materials Management
(MM) Data Blocking End of Purpose (EoP) Check for Business Partners in MM-PUR, MM-IM, and MM-IV .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 397Table 231:
Application Implemented Solution (EoP or WUC) Further Information
Materials Management (MM) End of purpose check (EoP) For more information about the end of
purpose check, see the product assis
tance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/
s4hana_op_1709 under Product
Assistance Enterprise Business
Applications Sourcing and
Procurement Materials Management
(MM) Data Blocking End of Purpose
(EoP) Check for Business Partners in
MM-PUR, MM-IM, and MM-IV .
Configuration of Simplified Blocking and Deletion
To use SAP Information Lifecycle Management (ILM) to simplify the deletion of application-specific personal data,
you have to do the following:
● Activate the following business functions:
○ ILM-Based Deletion of Business Partner Data (BUPA_ILM_BF)
○ ILM-Based Deletion of Customer and Supplier Master Data (ERP_CVP_ILM_1)
○ Information Lifecycle Management (ILM)
● Perform the necessary customizing settings related to SAP Information Lifecycle Management (ILM) in
Customizing for SAP NetWeaver Application Server Basis Services Information Lifecycle
Management .
● Perform the necessary customizing settings related to the blocking and deletion of business partner master
data in Customizing for Cross-Application Components Data Protection .
● Run transaction ILMARA and maintain and activate the required audit areas for the ILM objects of the
application.
● Run transaction IRMPOL and maintain the required retention policies for the ILM objects of the application.
● Configure the settings related to the blocking and deletion of customer and supplier master data in
Customizing under Logistics - General Business Partner Deletion of Customer and Supplier Master
Data .
See Also
For general information about the deletion of personal data, see the following chapters in the product assistance
for SAP S/4HANA that is available on the SAP Help Portal at http://help.sap.com/s4hana
Product Assistance Cross Components :
● SAP Information Lifecycle Management
● Data Protection Deletion of Business Partner Customer and Supplier Master Data
● Data Protection Configuring Data Protection Features Activating Business Functions
Security Guide for SAP S/4HANA 1709
398 P U B L I C SAP S/4HANA Business Applications13.8.5 Specific Read Access Log Configurations
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions.
SAP delivers sample configurations for applications.
Invoice Verification (MM-IV) logs data in order to track who has accessed the bank details in supplier invoices. You
can find the configurations as described in the Read Access Logging [page 29] chapter.
Fields are logged in the following configurations:
Table 232:
Channel Configuration Fields Logged
Dynpro Recording: IBAN
MM_IV/DPP_BANK SWIFT
BANKN
BANKA
SAP Gateway Service ID: IBAN
MM_SUPPLIER_INVOICE_MANAGE SWIFT
BANKN
BANKA
RFC Function modules: ADDRESSDATA-BANK_ACCT
BAPI_INCOMINGINVOICE_CHANGE ADDRESSDATA-BANK_CTRY
BAPI_INCOMINGINVOICE_CREATE ADDRESSDATA-BANK_NO
BAPI_INCOMINGINVOICE_CREATE1
BAPI_INCOMINGINVOICE_PARK
BAPI_INCOMINGINVOICE_SAVE
MRM_XMLBAPI_INCINV_CREATE
RFC Function modules: ADDRESSDATA-BANK_ACCT
BAPI_INCOMINGINVOICE_GETDETAIL ADDRESSDATA-BANK_CTRY
MRM_XMLBAPI_INCINV_GETDETAIL ADDRESSDATA-BANK_NO
RFC Function module: DOC_HEADER_LIST[]-BANKL
MRM_INVOICE_GETLIST DOC_HEADER_LIST[]-BANKN
DOC_HEADER_LIST[]-BANKS
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 399Channel Configuration Fields Logged
Web Service Interface name: SupplierInvoice/BillFromParty/BankAc
SupplierInvoiceERPByIDQueryResp countID
onse_In SupplierInvoice/BillFromParty/BankAc
countStandardID
SupplierInvoice/BillFromParty/BankIn
ternalID
SupplierInvoice/BillFromParty/Bank
Name
Read access logging can be switched on for the following apps of MM-IV:
● Enter Invoice (MIRO)
● Park Invoice (MIR7)
● Display Invoice Document (MIR4)
● Enter Invoice for Invoice Verification in Background (MIRA)
Read access logging can be switched on for the following SAP Fiori apps of MM-IV:
● Manage Supplier Invoices
● Create Supplier Invoice (Advanced)
13.8.6 Ariba Network Integration
If you want to use integration scenarios with the Ariba Network, see chapter “Business Network Integration” at
the end of this guide.
13.8.7 Supplier and Category Management
13.8.7.1 Authorizations
Supplier Information and Master Data uses the authorization concept provided by the SAP NetWeaver AS for
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Security Guide for SAP S/4HANA 1709
400 P U B L I C SAP S/4HANA Business ApplicationsNote
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 233:
Role Description
/SRMSMC/CATEGORY_MANAGER Category Manager
/SRMSMC/DNB_REQUESTOR Role for Requesting Reports from D&B
/SRMSMC/EVALUATION_APPRAISER Appraiser
/SRMSMC/ACTIVITY_MANAGER Activity Manager
/SRMSMC/ACTIVITY_PARTICIPANT Participant in Activity
/SRMSMC/QUESTIONNAIRE_MANAGER Questionnaire Manager
/SRMSMC/TRANSLATOR Translator
/SRMSMC/DISPLAY_ALL Display Role for All Objects in Supplier and Category Manage
ment
/SRMSMC/REPORT_EXEC_ADMIN Technical Role with Authorization to Start Reports in Supplier
and Category Management
/SRMSMC/BG_SUP_EVAL_BUYSIDE RFC Background Processing in Supplier Evaluation
We recommend that you do not assign the Appraiser and the Category Manager role to the same person. Under
exceptional circumstances, such as Category Managers filling out questionnaires for other colleagues, you can
grant both roles to the same person.
Note
Please note, that each user has to be assigned to a business partner Employee(I_EMPLOYEE)to have access to
Supplier and Category Management apps. You create a business partner role in the transaction Maintain HR
Master Data and assign it to a user in the transaction User Maintenance .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 401Authorization Objects Specific to Supplier Information and Master Data
The table below shows the security-relevant authorization objects that are specific to Supplier Information and
Master Data:
Table 234:
Authorization Object Field Value Description
/SRMSMC/DB ACTVT Reload Enables users to initiate a
download of up-to-date data
from D&B. Since downloading
data from D&B is subject to
charges, you should assign
this role only to employees
who are aware of this implica
tion.
Enables users to interact with
an instance of a business ob
ject of Supplier Information
and Master Data in a specific
way. The authorization object
is used in the /SRMSMC/
DNB_REQUESTOR role.
/SRMSMC/BO /BOFU/BO /SRMSMC/BO_QNR (Ques As the type of business object
tionnaire) that the user can access, you
/SRMSMC/BO_SEP can specify the values listed.
(Supplier
Evaluation Profile)
/SRMSMC/BO_SES (Supplier
Evaluation Scorecard)
/SRMSMC/BO_SEV (Supplier
Evaluation)
/SRMSMC/BO_SRS (Supplier
Evaluation Response)
/SRMSMC/MO_PUC (Purchas
ing Category)
/SRMSMC/MO_QLIB (Question
Library)
/SRMSMC/BO_ACT (Activity)
/SRMSMC/BO_TSK (Task)
/SRMSMC/MO_BUPA
Security Guide for SAP S/4HANA 1709
402 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
/SRMSMC/AM ACT_TYP Customizing, activity type This authorization object is
used to define authorization
settings for accessing activi
ties in SAP Supplier and Cate
gory Management.
Personalization Object “SLC: PFCG Role Attributes”
The personalization object SLC: PFCG Role Attributes (/SRMSMC/PFCG_ROLE_ATTRIBUTES) offers the following
checkboxes:
● Appraiser Role
● Category Manager Role
● Questionnaire Manager Role
● Activity Manager Role
● Activity Participant Role
Setting one of the above checkboxes in a role has the following effects on users to whom the role has been
assigned:
● The users can perform the activities intended for this role. Note that, in addition to the checkbox in the
personalization object, performing these activities also depends on the authorization objects assigned to the
role.
● Only users for whom the personalization object checkbox is selected are considered during a search, for
example for an appraiser or for a purchaser responsible.
Example:
For a user to be found in a search for a purchaser responsible, the Category Manager Role, the
Questionnaire Manager Role, or the Activity Manager Role checkbox is required, depending on the
process where the search is performed.
13.8.7.2 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For Supplier
Information and Master Data, the following services are needed:
● /sap/bc/ui5_ui5/sap/slc_qnr_resps1
● /sap/bc/ui5_ui5/sap/slc_eval_resps1
● /sap/bc/ui5_ui5/sap/slc_sup_evals1
● /sap/bc/webdynpro/srmsmc/WDA_I_BP_SUPPLIER
● /sap/bc/webdynpro/srmsmc/WDA_I_QNR_OVP
● /sap/bc/webdynpro/srmsmc/WDA_I_SEP_OVP
● /sap/bc/webdynpro/srmsmc/WDA_I_SES
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 403● /sap/bc/webdynpro/srmsmc/WDA_I_SEV_OVP
● /sap/opu/odata/sap/slc_questionnaire_response_srv
● /sap/opu/odata/sap/C_SUPLREVALRSPEVALUATEST_CDS
● /sap/opu/odata/sap/C_SUPLREVALRESPST_CDS
● /sap/bc/webdynpro/srmsmc/wda_puc
● /sap/bc/webdynpro/srmsmc/wda_puc_t
● /sap/bc/webdynpro/srmsmc/WDA_QLB_OVP_MAIN
● /sap/bc/webdynpro/srmsmc/WDA_QLB_OVP_TRNS
● /sap/bc/webdynpro/srmsmc/WDA_QNR_OVP_TRNS
● /sap/bc/webdynpro/srmsmc/wda_sep_ovp_trns
● /sap/bc/webdynpro/srmsmc/wda_act
● /sap/bc/webdynpro/srmsmc/wda_tsk
Use the transaction SICF to activate these services.
For more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.8.7.3 Data Storage Security
Cookies
Supplier Information and Master Data uses a Web Dynpro user interfaces. The SAP Web AS must issue cookies
and accept them.
Attachments
You restrict the allowed MIME types and the file size of attachments. You do this in Customizing for Materials
Management under Purchasing Supplier and Category Management for all business processes you want to
use. You can do this in the following Customizing activities:
● Define MIME Types for Attachments
● Define Maximum Size for Attachments
The above listed activities are available under each of the business processes nodes in Customizing.
For information about virus scanning for attachments, see Virus Scanning [page 21] and Application-Specific
Virus Scan Profile (ABAP) [page 404].
13.8.7.4 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system.
To manage the interface and what file types are checked or blocked, there are virus scan profiles. Different
applications rely on default profiles or application-specific profiles.
Security Guide for SAP S/4HANA 1709
404 P U B L I C SAP S/4HANA Business ApplicationsThe Web Dynpro user interfaces of Supplier Information and Master Data require that you activate the virus scan
profile /SIHTTP/HTTP_UPLOAD.
You must make the settings for the virus scan profile in Customizing for Materials Management under
Purchasing Supplier and Category Management Virus Scan Interface
For more information about virus scanning, see Virus Scanning [page 21].
13.8.7.5 Deletion of Personal Data
Use
Supplier and Category Management might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/s4hana Product Assistance
Cross Components Data Protection .
Relevant Application Objects and Available EoP/WUC functionality
Supplier and Category Management uses the standard archiving and deletion functions that are available for the
business partner functionality. Therefore, there is no dedicated end of purpose check (EoP) nor a where-used
check (WUC) for Supplier and Category Management.
Table 235:
Application Provided Deletion Functionality
Supplier and Category Management Transaction used for deletion: SARA
Archiving object relevant for deletion: CA_BUPA
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at http://
help.sap.com/s4hana Product Assistance Cross Components
Data Protection Archiving .
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of customer and supplier master data in
Customizing under Logistics General Business Partner Deletion of Customer and Supplier Master Data .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 405Display of Blocked Suppliers
If suppliers have been blocked, they can no longer be used in any Supplier and Category Management WebDynpro
applications. The supplier data is not deleted, but it is no longer visible. Any supplier-related entries are displayed
as Blocked Supplier and all supplier-related links are disabled. Evaluation scorecards for the blocked suppliers are
not displayed in the scorecards list in the Display Scorecards app.
This change is relevant for the following apps:
● Manage Activities
● Monitor Tasks
● Manage Templates
Supplier blocking via CDS view functions in the following apps:
● Manage Purchasing Categories
● Display Scorecards
● Quick Create for Procurement-Related Activities
● Open Activities card on the Procurement Overview Page
● Monitor Responses
● Evaluate Suppliers
● Monitor Responses
13.8.8 Integration
13.8.8.1 SAP S/4HANA Procurement Hub Integration
SAP S/4HANA currently supports integration with the SAP ERP back-end systems.
13.8.8.1.1 Direct Connectivity
The SAP S/4HANA hub system communicates with the connected SAP ERP back-end systems through XML
messages using peer-to-peer connectivity options in an asynchronous mode.
Security Guide for SAP S/4HANA 1709
406 P U B L I C SAP S/4HANA Business Applications13.8.8.1.2 Mediated Connectivity
For mediated connectivity, the SAP S/4HANA hub system is connected through SAP NetWeaver PI. The
communication with the connected SAP ERP back-end systems is performed through XML messages in
asynchronous mode.
13.8.8.1.3 Roles and Authorizations in the SAP S/4HANA Hub
System
To process messages coming from the SAP ERP back-end systems, a technical user is needed in the SAP S/
4HANA hub system.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. To
maintain roles for ABAP technology, you use the profile generator (transaction PFCG).
Note
For more information about creating roles, see Role Maintenance.
The table below shows the security-relevant authorization objects that the technical user needs:
Table 236: Roles and Authorizations in the SAP S/4HANA Hub System
Authorization Object Field Value Description
S_RFC RFC_TYPE Function Module Type of RFC object for which
access is to be allowed
RFC_NAME /IWNGW/ Name of RFC object for which
FM_IN_CREATE_NOTIF access is allowed
/IWNGW/
FM_IN_DELETE_NOTIF
ACTVT Execute Activity
S_SERVICE SRV_NAME WS Program, transaction, or
PURCHASEREQUISITIONR function module name
EPLICATIO3/
PURCHASE_REQUISITION
_REPLICATI
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 407Authorization Object Field Value Description
WS
PURCHASEREQUISITIONR
EPLICATION/
PURCHASE_REQUISITION
_REPLICATI
WS
PURCHASEREQUISITIONS
OURCINGNO1/
PURCHASE_REQUISITION
_SOURCING
/AIF/PROC SRV_TYPE Hash Value for Type of check flag and au
External Service thorization for default values
ACTVT Import, Export, Activity
Resubmit
/AIF/NS /MMHUB Namespace
/AIF/IF PRRECOIN, PRSRCNOTIN Interface Name
/AIF/IFVER * Interface Version
/AIF/VNS * Variant Namespace
/AIF/VNAME * Name of Interface Variant
13.8.8.1.4 Roles and Authorizations in the SAP ERP Back-end
System
You can activate Forward Error Handling (FEH) to monitor and process purchase requisitions that fail to copy be
copied to the SAP ERP back-end system.
Users that process entries in FEH need specific authorizations assigned to their users , as well as the following
authorization objects:
Table 237:
Authorization Object Description
S_FEH_INTF Interface-specific authorization for FEH
/SAPPO/FLT Postprocessing Order Filter
Security Guide for SAP S/4HANA 1709
408 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
/SAPPO/ORD Postprocessing Order (DISPLAY and EDIT)
/SAPPO/WLA Assignment of Worklist
13.8.9 Commodity Procurement
13.8.9.1 Deletion of Personal Data
Use
Commodity Procurement and Commodity Sales might process data (personal data) that is subject to the data
protection laws applicable in specific countries as described in SAP Note 1825544 .
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal under Product
Assistance Cross Components Data Protection .
Please note that Commodity Procurement and Commodity Sales do not use SAP Information Lifecycle
Management (ILM).
Relevant Application Objects and Available Deletion Functionality
Table 238:
Application Objects Provided Deletion Functionality
BRFplus Decision Table Entries for CPE Formula Assembly See Section BRFplus Decision Table Entries for CPE Formula
Assembly below
Pricing Condition Records in CPE Formula Assembly See section Pricing Conditon Records for CPE Formula Assem
bly below
Records of Versioned Logistics Pricing Data Persistency See section Versioned Logistics Pricing Data Persistency be
low
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 409BRFplus Decision Table Entries for CPE Formula Assembly
In the Commodity Pricing Engine (CPE), the Formula Assembly (FA) is used for logistics document items like sales
order items or purchase order items to create default settings as, for example, the formula ID. These settings
depend on properties of the underlying logistics document such as the vendor/customer, organizational and
material data.
The Business Rules Framework plus (BRFplus) is used to implement rules for entering these settings. To use
decision tables in BRFplus (as recommended by SAP), the required BRFplus content is provided (BRFplus
application, BRFplus functions which use BRFplus decision tables). The standard content includes, for example,
decision tables, which require customer or vendor, material and other input fields, and the formula ID as result
field. Decision tables can contain customer or vendor data, which eventually need to be deleted.
In the deletion report RCPE_BRF01 (Delete BRFplus Decision Table Entries for CPE Formula Assembly) you enter a
selected customer or vendor. When selecting the test mode, the report checks, whether the entered customer or
vendor exists in the system, and whether he is blocked. After this, the report checks all BRFplus decision tables in
BRFplus applications used for the Formula Assembly, and displays the respective row numbers of the BRFplus
decision tables and the column containing the selected customer or vendor. If the Test Mode flag is not set, the
report deletes all entries found, and creates an application log entry for object CMM and subobject DPP_FA_BRF
(transaction SLG1).
The Customizing settings can be found in the SAP Implementation Guide under Sales and Distribution Basic
Functions Commodity Pricing Settings for Formula Assembly Assign BRFplus Application to Pricing
Procedure or Materials Management Purchasing Commodity Pricing Settings for Formula Assembly
Assign BRFplus Application to Pricing Procedure .
Pricing Condition Records in CPE Formula Assembly
1. Precheck
Condition records are stored in table /1CN/CVFSAPI0FOR and used for the formula key determination. To
check all tables of the formula assembly for customers or vendors used, enter the prefixes /1CN/CVF for
Commodity Sales and /1CN/CMF for Commodity Procurement.
To check and process pricing conditions for the formula assembly, you can use the transactions
MCPE_FA_GCM (for Commodity Procurement) and VCPE_FA_GCM (for Commodity Sales).
2. Deletion
To delete entries for a selected customer or vendor, perform report RCPE_CT01.
Select, for example, table /1CN/CVFSAPI0FOR as identified in the step before, and enter the customer for a
Commodity Sales-relevant table. When choosing the test mode, the report will display all entries of
table /1CN/CVFSAPI0FOR, which would be deleted.
To display deleted entries, perform transaction SLG1 for object CMM and subobject DDP_FA_AP.
To delete all entries of the selected table , select the Delete complete content indicator.
Note: Condition tables used for the CPE Formula Assembly must allways be selected and processed
individually.
Security Guide for SAP S/4HANA 1709
410 P U B L I C SAP S/4HANA Business ApplicationsVersioned Logistics Pricing Data Persistency
Transaction CMM_DEL_DOC_VERSIONS allows you to delete all records of the versioned logistic pricing data
persistency (table CMM_VLOGP), which are stored for a certain blocked customer/vendor.
Transaction CMM_DEL_DOC_VERSIONS allows you to update all records of the versioned logistic pricing data
persistency (table CMM_VLOGP), which are stored for a certain blocked customer/vendor in a way that the
identifier of the respective customer/vendor is masked with a blank space.
The authorization to perform this transaction is checked by the authorization object S_TCODE, and explicitly in
the underlying report. It is ensured that, even if the report is performed by transaction SA38, only authorized
experts can execute it. In addition, the authorization object CMM_VLOGP is checked by activity 06 (Delete). This
enables the authorized user to delete records from the versioned logistic pricing data persistency (table
CMM_VLOGP).
Note: It is checked, whether the entered customer is used as Sold-to-Party and/or Ship-to-Party. Records are
deleted and masked accordingly.
This transaction must be performed to mask or to delete records as soon as a certain customer or vendor is
blocked.
Relevant Application Objects and Available EoP/WUC Functionality
Table 239:
Application Implemented Solution (EoP or WUC) Further Information
n/a n/a n/a
13.8.9.2 Information Report
Use
Commodity Procurement and Commodity Sales provide information about stored personal data in the versioned
persistency of logistics pricing data (VLOGP).
Versioned Persistency of Logistics Pricing Data
To display information about stored personal data in in the versioned persistency of logistics pricing data (VLOGP)
of Commodity Procurement and Commodity Sales, run transaction CMM_DEL_DOC_VERSIONS.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 411The authorization to perform this transaction is checked by the authorization object S_TCODE, and in the
underlying report. It is ensured that, even if the report is launched by transaction SA38, only authorized experts
can execute it.
In case of blocked customers, vendors, business partners, the authorization object B_BUP_PCPT (actvitity 03) is
additionaly checked.
Table 240:
Table / Business Object Archiving Object Personal Data
CMM_VLOGP n/a LIFNR, KUNNR, KUNWE
13.9 Supply Chain
13.9.1 Deletion of Personal Data (Returnable Packaging
Logistics)
Use
Returnable Packaging Logistics might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Security Guide for SAP S/4HANA 1709
412 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available Deletion Functionality
Table 241:
Application Provided Deletion Functionality
Returnable Packaging Logistics (IS-A-RL) Archiving Object
VHURL_AC
VHURL_CP
VHURL_PO
VHURL_ST
VHURL_TR
Destruction Objects
VHURL_CP_DESTRUCTION
VHURL_RR_DESTRUCTION
ILM Objects
VHURL_AC
VHURL_PO
VHURL_ST
VHURL_TR
VHURL_CP_DEST
VHURL_RR_DEST
Relevant Application Objects and Available EoP/WUC functionality
Table 242:
Application Implemented Solution (EoP or WUC) Further Information
Returnable Packaging Logistics (IS-A- EoP check Checks tables:
RL) RLACCT, RLPSHPA, RLPSHP
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection→Blocking and Unblocking of Data→Customer Master/Supplier
Master Deletion.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 41313.9.2 Efficient Logistics and Order Fulfillment
13.9.2.1 Inventory Management
13.9.2.1.1 Authorizations in Inventory Management
Inventory Management uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 243:
Role Description
SAP_BR_INVENTORY_MANAGER Inventory Manager
SAP_BR_WAREHOUSE_CLERK Warehouse Clerk
SAP_BR_INVENTORY_ACCOUNTANT Inventory Accountant
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Security Guide for SAP S/4HANA 1709
414 P U B L I C SAP S/4HANA Business ApplicationsTable 244:
Authorization Object Field Description
M_ISEG_WDB Activity Phys. Inv: Difference Posting in Plant
Plant
M_ISEG_WIB Activity Phys. Inv: Phys. Inv Document in Plant
Plant
M_ISEG_WZL Activity Phys. Inv: Count in Plant
Plant
M_ISEG_WZB Activity Phys. Inv: Count and Difference Posting
in Plant
Plant
M_MSEG_BMB Activity Material Documents: Movement Type
Movement Type (Inventory Manage
ment)
M_MBNK_ALL Activity Material Documents: Number Range
Maintenance
M_MSEG_WMB Activity Material Documents: Plant
Plant
M_MRES_BWA Activity Reservations: Movement Type
Movement Type (Inventory Manage
ment)
M_MRES_WWA Activity Reservations: Plant
Plant
M_MWOF_ACT Activity Control for Split Valuation of Value
(MBWO)
M_SKPF_VGA Activity Inventory Sampling: Transaction
Transaction for Inventory Sampling
M_SKPF_WRK Activity Inventory Sampling: Plant
Plant
M_MSEG_BWA Activity Goods Movement: Movement Type
Movement Type (Inventory Manage
ment)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 415Authorization Object Field Description
M_MSEG_LGO Activity Goods Movement: Storage Location
Plant
Storage Location
Movement Type (Inventory Manage
ment)
M_MSEG_WWA Activity Goods Movements: Plant
Plant
M_MSEG_BWF Activity Goods Receipt for Production Order:
Movement Type
Movement Type (Inventory Manage
ment)
M_MSEG_WWF Activity Goods Receipt for Production Order:
Plant
Plant
M_MSEG_BWE Activity Goods Receipt for Purchase Order:
Movement Type
Movement Type (Inventory Manage
ment)
M_MSEG_WWE Activity Goods Receipt for Purchase Order: Plant
Plant
13.9.2.1.2 Deletion of Personal Data
Use
The Materials Management application might process data (personal data) that is subject to the data protection
laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the
blocking and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on
the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Relevant Application Objects and Available Deletion Functionality
Table 245:
Application Object Detailed Description Provided Deletion Functionality
Physical Inventory Documents Archiving Physical Inventory Documents Archiving object MM_INVBEL
(MM-IM)
Security Guide for SAP S/4HANA 1709
416 P U B L I C SAP S/4HANA Business ApplicationsApplication Object Detailed Description Provided Deletion Functionality
Special Stocks Archiving Special Stock Records (LO- Archiving object MM_SPSTOCK
MD-MM)
Empties Management Archiving of Empties Update Archiving object BEV1_EMFD
Relevant Application Areas and Available EoP Functionality
Table 246:
Application Implemented Solution Further Information
Materials Management (MM) End of purpose check (EoP) This includes the business in the areas
of:
● External Services Management
(MM-SRV)
● Inventory Management (MM-IM)
● Logistics Invoice Verification (MM-
IV)
● Empties Management (MM-PUR-
EM)
For more information about the end of
purpose check, see the product assis
tance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/
s4hana_op_1709 under Product
Assistance Enterprise Business
Applications Sourcing and
Procurement Materials Management
(MM) Data Blocking End of Purpose
(EoP) Check for Business Partners in
MM-PUR, MM-IM, and MM-IV .
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management in Customizing for Cross-Application Components under
Data Protection Authorization Management . For more information, see the Customizing
documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 41713.9.2.2 Authorizations in Logistics Execution
Logistics Execution uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore, the
recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 247: Roles for Shipping
Role Description
SAP_BR_SHIPPING_SPECIALIST Coordinates outgoing deliveries and ensures the accurate and
timely shipment of goods to customers.
SAP_BR_RECEIVING_SPECIALIST Coordinates incoming deliveries and ensures that all received
goods are inspected and put away in a timely manner.
Table 248: Roles for Decentralized Warehouse Management and Transportation
Role Description
SAP_LE_TMS_ARCHIVING Archiving of Transportation and Shipment Cost Documents
SAP_LE_TMS_BACKGROUND Background Transactions in Shipment
SAP_LE_TMS_CAPACITY_ANALYSIS Perform Analyses for Utilization and Free Capacity
SAP_LE_TMS_CARRIER_WEB Internet Transactions for the Forwarding Agent
SAP_LE_TMS_CURRENT_ANALYSIS Perform Current Evaluations for Shipments
SAP_LE_TMS_DISPLAY Display Documents in Shipment
SAP_LE_TMS_EXECUTION Execute Planned Shipments
SAP_LE_TMS_EXTERNAL_TPS Interface to External Transportation Planning System
SAP_LE_TMS_MAINTAIN_SCD Create, Process, and Display Shipment Costs
Security Guide for SAP S/4HANA 1709
418 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_LE_TMS_MAINTAIN_SCD_COND Maintain Conditions in Shipment Costs Environment
SAP_LE_TMS_MAINT_SHP_MASTER Maintain Master Data in the Transportation Environment
SAP_LE_TMS_MONITOR_PLANNING Monitor Shipment Planning
SAP_LE_TMS_MONITOR_SHPCOSTS Monitor Shipment Costs Calculation and Settlement
SAP_LE_TMS_OTHERS Other Transportation Transactions (Without Composite Role)
SAP_LE_TMS_PLANNING Create, Change, and Display Shipments
SAP_LE_TMS_RULES Define Rules for Multiple Shipment Creation
SAP_LE_TMS_STATISTIC_ANALYSIS Perform Statistical Analyses for Shipments
SAP_LE_TMS_TP_SERVICE_AGENT Interface for Shipment Planning in Cooperation with Forward
ing Agents
SAP_LE_WMS_APPOINTMENTS Door Appointments
SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM
SAP_LE_WMS_INFORMATION Warehouse Information
SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data
SAP_LE_WMS_LOAD Workload in Warehouse
SAP_LE_WMS_MONITORING Warehouse Monitoring
SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM
SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM
SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM
SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM
SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring in WM
SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management
SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM
SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP
SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment
SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 419Role Description
SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM
SAP_LE_WMS_STATISTICS Analysis in WM
SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM
SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM
SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM
SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM
SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance
/SAPMP/RTS Controls whether a user can assign reel type for a plant.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 249: Standard Authorization Objects: Decentralized Warehouse Management
Authorization Object Description
L_BWLVS Movement Type in the Warehouse Management System
L_LGNUM Warehouse Number/Storage Type
L_SFUNC Special Functions in Warehouse Management
L_TCODE Transaction Codes in the Warehouse Management System
Table 250: Standard Authorization Objects: Transportation
Authorization Object Description
V_VFKK_FKA Shipment Cost Processing: Auth. for Shipment Cost Type
V_VTTK_SHT Shipment Processing: Authorization for Shipment Type
V_VTTK_TDL Shipment Processing: Authorization for Forwarding Agents
V_VTTK_TDS Shipment Processing: Auth. for Transport Planning Points
V_VTTK_TSA Transportation Proc.: Authorization for Shipment Type Status
Security Guide for SAP S/4HANA 1709
420 P U B L I C SAP S/4HANA Business ApplicationsTable 251: Standard Authorization Objects: Shipping
Authorization Object Description
V_LECI_CKP Checkpoint: Authorization for Checkpoint
V_LIKP_VST Delivery: Authorization for Shipping Points
V_VBSK_GRA Deliveries: Authorization for Delivery Group Type
13.9.2.3 Direct Store Delivery
13.9.2.3.1 Deletion of Personal Data
Use
The Direct Store Delivery application might process data (personal data) that is subject to the data protection
laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the
blocking and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on
the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Table 252: Relevant Application Objects and Available Deletion Functionality
Application Object Detailed Description Provided Deletion Functionality
Visit List Archiving Visit Lists (LE-DSD) Archiving object /DSD/VL
Settlement Documents Archiving Settlement Documents (LE- Archiving object /DSD/SL
DSD)
DEX Archiving DEX Streams (LE-DSD) Archiving object /DSD/DEX
Route Settlement Data destruction in Route Settlements Destruction object /DSD/
(LE-DSD) HH_RAHD_DESTRUCTION
DSD Connector Data destruction in DSD Connector (LE- Destruction object /DSD/
DSD) ME_TOUR_HD_DESTRUCTION
DSD Loading Data destruction in DSD Loading (LE- Destruction object /DSD/
DSD) SV_LC_HD_DESTRUCTION
Visit Plan Data destruction in Visit Plants (LE- Destruction object /DSD/
DSD) VC_VPH_DESTRUCTION
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 421Application Object Detailed Description Provided Deletion Functionality
Deal Conditions Data destruction in Deal Conditions (LE- Destruction object /DSD/
DSD) PR_HEAD_DESTRUCTION
Relevant Application Objects and Available EoP Functionality
Table 253:
Application Implemented Solution (EoP or WUC) Further Information
Logistics Execution (LE) EoP check This includes the business in the areas
of:
● Direct Store Delivery (Backend)
(LE-DSD)
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management in Customizing for Cross-Application Components under
Data Protection Authorization Management . For more information, see the Customizing
documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner .
13.9.2.4 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For Logistics
Execution, the following services are needed:
● LECI
● VL31W
● VL32W
● VLPODW1
● VLPODW2
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
Security Guide for SAP S/4HANA 1709
422 P U B L I C SAP S/4HANA Business ApplicationsFor more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.9.3 Extended Warehouse Management
13.9.3.1 Authorizations
Extended Warehouse Management (EWM) uses the authorization concept provided by the SAP NetWeaver AS for
ABAP or AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Authorization Objects
To gain an overview of the authorization objects for EWM, proceed as follows:
1. Open transaction AUTH_DISPLAY_OBJECTS to display active authorization objects.
2. In the overview, expand the following subtree of authorizations related to EWM.
1. Authorizations Extended Warehouse Management (SCWM)
2. Dock Appointment Scheduling (SCDS)
3. Authorizations SCM Basis (SCMB)
4. Master Data Authorization Objects (SCMD)
If you want to display the technical names of the authorization objects, choose Edit Technical Names
On .
3. If you want to get a detailed description, choose the Information button next to the authorization object you
are interested in.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 423Warehouse-Based Authorization
Warehouse-Specific Field in Authorization Objects
If you have multiple warehouses modelled in EWM, you may need people working in one warehouse to be able to
access data from another warehouse. Many authorization objects in EWM contain a specific authorization field for
this purpose, for example:
● /SCWM/LGNU (Warehouse Number/Warehouse Complex)
This is the most commonly used authorization field. It is used, for example, in EWM monitor authorization
object /SCWM/MO.
● /SCWM/ORG (Location/Organizational Unit)
● /SCMB/LGNU (Warehouse Number/Warehouse Complex)
Warehouse in Customizing or Administration
In other cases, such as in administration or Customizing, EWM does not use specific authorization objects.
Instead, you can use generic authorization objects to limit the access to tables and views, for example:
● S_TABU_NAM (Table Access by Generic Standard Tools)
● S_TABU_LIN (Authorization for Organizational Unit)
Example
The Customizing activity Define Storage Bin Types has the assigned Customizing object /SCWM/T303. The
underlying database table /SCWM/T303 contains field LGNUM (warehouse number) with data element /SCWM/
LGNUM (Warehouse Number/Warehouse Complex). You can use generic authorization objects to limit the access
to tables and views, as follows:
● Use authorization object S_TABU_NAM to limit access to Customizing object /SCWM/T303.
● Use authorization object S_TABU_LIN to limit access based on organizational criteria.
You can also use authorization field ORG_CRIT (Organization Criterion for Key-Specific Authorization) and use
value /SCWM/LGNU (Warehouse Number/Warehouse Complex) to be able to enter a warehouse in
ORG_FIELD1.
For more information, see the documentation of authorization objects S_TABU_NAM and S_TABU_LIN in
transaction SU21.
BRFplus
BRFplus is sometimes used in EWM, for example, in Labor Management. However, BRFplus does not recognize
organizational units such as the warehouse. Therefore, if BRFplus entities should be separated based on
warehouse, you must consider this during the implementation phase so that you can use alternative BRFplus
mechanisms.
For information about the authorization concept of BRFplus, see SAP Library for SAP NetWeaver at https://
help.sap.com/netweaver. In SAP Library, search for Business Rule Framework plus (BRFplus) and then choose
Concepts Authorizations .
Security Guide for SAP S/4HANA 1709
424 P U B L I C SAP S/4HANA Business ApplicationsCritical Combinations
Appointment Planner for Carrier
Note
These authorizations are relevant only if you are using SAP Dock Appointment Scheduling.
SAP Dock Appointment Scheduling offers a collaboration scenario where appointment planners for carriers can
log on to the SAP Dock Appointment Scheduling system, and view and maintain appointments for their carrier.
Since this potentially means that employees of a different company access SAP Dock Appointment Scheduling
from outside the company network, you must put a special focus on authorizations. This kind of user should have
very limited authorizations. As well as this, they should be able to access data of their own carrier only, and not be
able to access other carriers’ data. They should not be able to see internal data, like overall capacities of loading
points. Therefore, you must be very careful and restrictive when assigning roles and authorizations to this kind of
user.
SAP Dock Appointment Scheduling delivers a special authorization field for this.
Note
We recommend that you define, in the roles, the loading points for which a user may view or create
appointments. You can do this in the Loading Point authorization field (/SCWM/DSLP) in the authorization
objects Loading Appointment (/SCWM/DSAP) and Slot (/SCWM/DSSL).
In addition, the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS) is very
important. It is available on the Loading Appointment and Slot authorization objects. For appointment planners
for carriers, set this field to Scope for an Appointment Planner for Carrier. This ensures that this user can create
and view appointments only for the carrier that is assigned to him or her. Otherwise such a user could create
appointments for any carrier.
Warehouse Management Monitor: Authorization to Display Batch Execution Data
In the warehouse management monitor (/SCWM/MON), you can execute selections using batch jobs. You can view
the results in the warehouse management monitor. During the selection, the system performs the normal
authorization checks and selects and stores only data for which the user has authorization in the data containers
for the warehouse management monitor. But if these data containers are then displayed by other users, the
system does not perform these authorization checks. Therefore, you should only grant the authorization to
display batch execution data for monitor nodes or users where these checks are not critical.
The authorization object used for the authorization to display batch execution data in the warehouse
management monitor is /SCWM/DATC. For more information about this authorization object and the warehouse
management monitor, see SAP Library for SAP S/4HANA at https://help.sap.com/s4hana . In SAP Library,
choose SAP S/4HANA Enterprise Business Applications Supply Chain Extended Warehouse Management
Monitoring Warehouse Management Monitor .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 425Maintaining Authorizations for Integration with SAP Components
Maintaining Authorizations for Integration of EWM Within Supply Chain
Note
This is not relevant for standalone SAP Dock Appointment Scheduling.
For the integration of EWM within Supply Chain, that is, with Logistics Execution (LE) and Logistics – General
(LO), use the authorization roles for the remote function call (RFC) destination users. For more information about
these roles, see SAP Library for SAP S/4HANA at https://help.sap.com/s4hana . In SAP Library, choose
SAP S/4HANA Enterprise Business Applications Supply Chain Extended Warehouse Management
Roles for Extended Warehouse Management (EWM) .
For the integration from Supply Chain to EWM, for example, the role /SCWM/ERP_EWM_INTEGRATION exists. For
the integration from EWM to Supply Chain, the corresponding RFC users also require the proper authorizations.
For more information, see SAP Note 2081387 .
In some cases, for example, for migration functions like transaction /SCWM/MIG_PRODUCT, the RFC enabled
function module RFC_READ_TABLE is called on the Supply Chain side from EWM. For such scenarios, the
corresponding RFC user requires this authorization. To avoid misuse, you should restrict the tables to be
accessed to a minimum. You can therefore use the authorization objects S_TABU_NAM or S_TABU_DIS.
If you grant the usage of RFC function RFC_READ_TABLE to an RFC user, it is very important that you restrict the
tables that can be accessed to a minimum to avoid misuse.
Maintaining Authorizations for Data Transfer to SAP Business Warehouse
Note
This is not relevant for standalone SAP Dock Appointment Scheduling.
You can exclude DataSources from the extraction to SAP Business Warehouse (SAP BW).
Data that is stored in the extraction structure of this DataSource cannot be transferred to SAP BW.
1. In Customizing for Extended Warehouse Management, choose Integration with Other SAP Components
Data Transfer to Business Warehouse General Settings Limit Authorizations for Extraction .
2. Choose New Entries and choose a DataSource that you want to exclude from the extraction.
3. Choose the SAP BW system for which you want no more data for this DataSource to be extracted.
4. In the Ex. Extr. field, enter whether or not you want to exclude the DataSource from the extraction.
5. Save your entries and specify a transport request.
Maintaining Authorizations for Data Transfer Between Shipping and Receiving (EWM) and SAP
Dock Appointment Scheduling
Note
This is not relevant for standalone SAP Dock Appointment Scheduling.
SAP Dock Appointment Scheduling and Shipping and Receiving (S&R) are two independent components. But it is
also possible to integrate the components, for example, so that the system communicates appointment status
Security Guide for SAP S/4HANA 1709
426 P U B L I C SAP S/4HANA Business Applicationschanges in SAP Dock Appointment Scheduling to S&R and appointment status changes in S&R to SAP Dock
Appointment Scheduling. For more information, see SAP Library for SAP S/4HANA at https://help.sap.com/
s4hana . In SAP Library, choose SAP S/4HANA Enterprise Business Applications Supply Chain
Extended Warehouse Management SAP Dock Appointment Scheduling Integration with SAP EWM .
For integration between SAP Dock Appointment Scheduling and S&R, the system uses queued RFC (qRFC)
technology.
Using Standard Roles for SAP Dock Appointment Scheduling to EWM Integration
For the integration from SAP Dock Appointment Scheduling to S&R, the technical role /SCWM/
DAS_TO_EWM_INTEGRATION is available. It contains the necessary authorizations to update the relevant S&R
objects. The role does not contain any menu entries or transactions, as it is only a technical role for RFC
communication. You must assign this role to the SAP Dock Appointment Scheduling user or RFC user, depending
on if you use RFC communication, with which the integration is done.
Maintaining RFC Authorizations for Internal Communication in EWM
For RFC communication, users usually require the authorizations for authorization object S_RFC. As RFCs are
potential security risks, you should be very restrictive in granting them. In certain cases, EWM also uses RFCs for
internal purposes, for example for parallel processing or for asynchronous communication. For these purposes,
no RFC authorizations have to be granted as these calls are within the SAP S/4HANA system.
EWM also uses specific RFC-enabled function modules, which are used to extract content from qRFCs. For
example, these function modules are used to extract the warehouse number or delivery number from qRFCs.
These function modules do not perform data changes in EWM and also do not return data to a caller. They are
required for delivery processing and for displaying of message queue entries in the warehouse management
monitor.
The function modules are in the following special function groups:
● /SCWM/CORE_MQ_REPLAY (Message Queue Moni: Replay Functions)
● /SCWM/CORE_RF_MQ_REPLAY (Replay Function Modules for RF)
● /SCWM/DELIVERY_MQ_REPLAY (Replay Function Modules for Deliveries)
● /SCWM/ERP_MQ_REPLAY (Replay Function Modules - ERP Interface)
● /SCWM/SR_MQ_REPLAY (Replay Function Modules - S&R)
● /SCWM/VAS_MQ_REPLAY (Replay Function Modules for VAS)
● /SCWM/WC_SERVICE_MQ_REPLAY (Replay Function Modules for Workcenter)
● /SCWM/WAVE_MGMT_MQ_REPLAY (Replay Function Modules for Wave)
If you use the message queue monitor node in the warehouse management monitor, you must add these function
groups to authorization S_RFC. Use the activity Execute (16) and the Function Group (FUGR) type of RFC object.
For delivery and warehouse task processing, for example, confirming and creation of warehouse tasks, you must
add the function group /SCWM/DELIVERY_MQ_REPLAY (Replay Function Modules for Deliveries) to authorization
S_RFC.
These authorizations are already in the standard roles in EWM, so they are only relevant if you create your own
roles.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 42713.9.3.2 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For this area
the following services are needed:
● /sap/bc/gui/sap/its/scwm/rfui
This service can be used, for example, to allow warehouse workers to use transaction /SCWM/RFUI from
mobile applications. The service can be accessed from the SAP console or by using ITS mobile. For more
information, see SAP Library for SAP S/4HANA at https://help.sap.com/s4hana . In SAP Library choose
SAP S/4HANA Enterprise Business Applications Supply Chain Extended Warehouse Management
Radio Frequency Framework Work Processing Using Radio Frequency Resource Management Using Radio
Frequency .
● /sap/bc/webdynpro/scwm/
In this path various Web Dynpro user interfaces (UIs) for Extended Warehouse Management as well as for
SAP Dock Appointment Scheduling are contained.
● /sap/bc/srt/xip/scwm
Contains services which are used for SAP Process Integration communication.
● /sap/bc/srt/rfc/scwm
Contains services which are used for remote function call (RFC) communication. For example,
RFID_AII_EWM which is used to exchange radio frequency identification information with SAP Auto-ID
Infrastructure (SAP AII).
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.9.3.3 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
Extended Warehouse Management (EWM) saves data in files in the file system. Therefore, it is important to
explicitly provide access to the corresponding files in the file system without allowing access to other directories
or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the
system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
428 P U B L I C SAP S/4HANA Business ApplicationsThe following lists show the logical file names and paths used by EWM and for which programs these file names
and paths apply:
Logical File Names Used
The following logical file names have been created in order to enable the validation of physical file names:
● EWM_PI_DOWNLOAD
○ Transactions or programs using this logical file name and parameters used in this context:
○ Transaction /SCWM/PI_DOWNLOAD
○ Program /SCWM/R_PI_STOCK_DWNLD
○ Parameters used in this context:
○ = Warehouse number (CHAR 4)
○ = Counter (NUM2)
○ Logical file path used: EWM_GLOBAL_PATH
Note
The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The
logical file path contains a physical path. The validation and alias definition do not apply for this logical
filename.
● EWM_PI_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/PI_UPLOAD
○ Program /SCWM/R_PI_FILEUPLD
○ Parameters used in this context:
○ = Warehouse number (CHAR 4)
○ = Creation Date (DATS8)
○ = Counter (NUM2)
○ Logical file path used: EWM_GLOBAL_PATH
Note
The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The
logical file path contains a physical path. The validation and alias definition do not apply for this logical
filename.
● EWM_STOCK_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/ISU
○ Program /SCWM/R_INITIALSTOCKUPLOAD
○ Parameters used in this context: = Warehouse number (CHAR 4)
○ Logical file path used: EWM_STOCK_UPLOAD_PATH
● EWM_STOBIN_UPLOAD
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 429○ Transactions or programs using this logical file name:
○ Transaction /SCWM/SBUP
○ Program /SCWM/TLAGP_UPLOAD
○ Logical file path used: EWM_STOBIN_UPLOAD_PATH
● EWM_STOBIN_SORT_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/SRTUP
○ Program /SCWM/TLAGPS_UPLOAD
○ Logical file path used: EWM_STOBIN_SORT_UPLOAD_PATH
● EWM_MS_RESULT
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/MS_RESULT
○ Program /SCWM/R_MS_RESULT_READ
○ Parameters used in this context: = Warehouse number (CHAR 4)
○ Logical file path used: EWM_GLOBAL_PATH
Note
The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The
logical file path contains a physical path. The validation and alias definition do not apply for this logical
filename.
● EWM_ELS_FRML
● EWM_ELS_ST
● EWM_ELS_STE
● EWM_ELS_SEQ
● EWM_ELS_ASS
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/ELS_UPLOAD
○ Program /SCWM/ELS_UPLOAD
○ Logical file path used: EWM_GLOBAL_PATH
Note
The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The
logical file path contains a physical path. The validation and alias definition do not apply for this logical
filename.
● EWM_MS_RESULT
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/PI_SAMP_UPDATE
○ Program /SCWM/PI_SAMP_UPDATE_RESULT
○ Parameters used in this context: = Warehouse number (CHAR 4)
○ Logical file path used: EWM_GLOBAL_PATH
Security Guide for SAP S/4HANA 1709
430 P U B L I C SAP S/4HANA Business ApplicationsNote
The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The
logical file path contains a physical path. The validation and alias definition do not apply for this logical
filename.
● EWM_PRODUCT_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/MIG_PRODUCT
○ Program /SCWM/R_MIG_PRODUCT
○ Logical file path used: EWM_PRODUCT_UPLOAD_PATH
● EWM_PACKSPEC_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/MIG_PRODUCT
○ Transaction /SCWM/IPU
○ Program /SCWM/R_MIG_PRODUCT
○ Program /SCWM/R_PS_DATA_LOAD
○ Logical file path used: EWM_PACKSPEC_UPLOAD_PATH
● EWM_PI_COMPL_UPLOAD
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/MIG_PI_COMPL
○ Program /SCWM/R_MIG_PI_COMPL
○ Logical file path used: EWM_PI_COMPL_UPLOAD_PATH
● EWM_TDC_EDGE and EWM_TDC_RSRC
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/TDC_UPLOAD
○ Program /SCWM/TDC_UPLOAD
○ Logical file path used: EWM_GLOBAL_PATH
● EWM_TATT_UPLOAD (Logical File for Upload of Time and Attendance Events)
○ Transactions or programs using this logical file name:
○ Transaction /SCWM/TATT_UPLOAD
○ Program /SCWM/R_LM_TATT_UPLOAD
○ Parameters used in this context: = Warehouse number (CHAR 4)
○ Logical file path used: EWM_GLOBAL_PATH
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 43113.9.3.4 Deletion of Personal Data
Extended Warehouse Management (EWM) might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance Cross
Components Data Protection .
Table 254: Relevant Application Objects and Available Deletion Functionality
Application Detailed Description Provided Deletion Functionality
EWM Warehouse Request Processing Business partner data is stored in the You can delete the objects by using the
(for example, inbound deliveries, out warehouse request. For example: archiving services. The archiving objects
bound delivery orders, and production ● Partner data in the warehouse re are:
material requests) quest header/item ● DLV_INB (Internal Warehouse Re
● Ship-to data and ship-from data quest (Inbound Delivery))
● Owner and entitled-to-dispose data ● DLV_OUT (Internal Warehouse Re
on item level quest (Outbound Delivery))
● DLV_REQ (Warehouse Request from
External Systems)
● DLV_PROD (Production Material Re
quest)
EWM Labor Management The processor is recorded in several You can delete the objects by using the
EWM documents in Labor Management, archiving services. The archiving objects
for example, in warehouse orders and are:
executed workload. ● WME_WO (Warehouse Order)
● WME_EWL (Executed Workload)
● WME_EPD (Performance Document)
● WME_ILT (Indirect Labor Task)
EWM Shipping and Receiving In Shipping and Receiving, business You can delete the objects by using the
partner data may be stored as carrier archiving services. The archiving object
data in transportation units. is WME_TU (TU Activity).
EWM Value-Added Services If you use value-added services (VAS), You can delete the objects by using the
business partner data may be stored as archiving services. The archiving object
owner data or entitled-to-dispose data in is WME_VAS (Value-Added Service Or
VAS orders. der).
EWM Proof of Delivery If you use proof of delivery (transac You can delete by using transaction /
tion /SCWM/POD_IMP), business part SCWM/POD_IMP.
ner data may be stored as carrier data,
entitled-to-dispose data, or processor
data in the proof of delivery object.
Security Guide for SAP S/4HANA 1709
432 P U B L I C SAP S/4HANA Business ApplicationsApplication Detailed Description Provided Deletion Functionality
EWM Stock Data In EWM, stock data may store business You cannot delete directly. You must
partner data as, for example, owner data clear the corresponding stock so that
or entitled-to-dispose data. the stock does not exist anymore by us
ing the Delete Obsolete Table Entries (/
LIME/BACKGROUND_DELETE_EXEC) re
port.
EWM Dock Appointment Scheduling In SAP Dock Appointment Scheduling, You can delete by using the Delete Slots
business partner data may be stored as and Appointments (/SCWM/
carrier data in loading appointments. R_DAS_DELETE) report.
Transportation Management in EWM Business partner data is contained in You can delete the objects by using the
shipment objects and freight document archiving services. The archiving objects
objects. are:
● TM_SHP (Shipment)
● TM_FRD (Freight Document)
EWM Warehouse Billing In Warehouse Billing, snapshots may You can delete billing measurements
contain a business partner. (BOPF object /SCWM/BM) using archiving
object EWM_WBM.
You can delete billing measure requests
(BOPF object /SCWM/WB_BMR) using de
letion report Deletion of WBMR and
WBMS (/SCWM/WB_WBMR_DELETION).
Table 255: Relevant Application Objects and Available EoP/WUC Functionality
Application Implemented Solution (EoP or WUC) Further Information
EWM Warehouse Request Processing A where-used check (WUC) is imple A WUC is done for the following data
(for example, inbound deliveries, out mented for the business partner object. base tables:
bound delivery orders, and production ● /SCDL/DB_BPLOC
material requests)
● /SCDL/DB_EXTNO
● /SCDL/DB_PROCI_O
● /SCDL/DB_PROCI_I
● /SCDL/DB_PROCI_P
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 433Application Implemented Solution (EoP or WUC) Further Information
EWM Labor Management A WUC is implemented for the business A WUC is done for the following data
partner object. base tables:
● /SCWM/EWRKL
● /SCWM/EPD
● /SCWM/WHO
● /SCWM/EPD
For indirect labor tasks, the data is
stored using order document manage
ment (ODM).
The ODM data type is ILT. The corre
sponding header component is ILT with
structure /SCWM/S_ILT_ODM.
EWM Shipping and Receiving A WUC is implemented for the business A WUC is done for the /SCWM/TUNIT da
partner object. tabase table.
EWM Value-Added Services A WUC is implemented for the business The data is stored using ODM. The ODM
partner object. data type is VASO. The corresponding
item component is VASI with structure /
SCWM/S_VAS_ODM_ITM.
EWM Proof of Delivery A WUC is implemented for the business A WUC is done for the SCWM/POD data
partner object. base table.
EWM Stock Data A WUC is implemented for the business A WUC check is done for the following
partner object. database tables:
● /SCWM/STOCK_IW01
● /SCWM/STOCK_IW02
● /SCWM/STOCK_IW03
● /SCWM/STOCK_IW04
EWM Dock Appointment Scheduling A WUC is implemented for the business A WUC is done for the /SCWM/D_DSAPP
partner object. database table.
Security Guide for SAP S/4HANA 1709
434 P U B L I C SAP S/4HANA Business ApplicationsApplication Implemented Solution (EoP or WUC) Further Information
Transportation Management in EWM A WUC is implemented for the business The data is stored using ODM.
partner object. ● For shipments the ODM data type is
TMSH. The corresponding header
component is TSHD with struc
ture /SCMB/
TMDL_ODM_SHP_HDR_STR.
● For freight documents the ODM
data type is TMFR. The correspond
ing header component is TMFH with
structure /SCMB/
TMDL_ODM_FRD_HDR_STR.
Transportation Management in EWM A WUC is implemented for the business A WUC is done for the following tables:
Warehouse Billing partner object. ● /SCWM/D_WB_FDO
● /SCWM/D_WB_PDI
● /SCWM/D_WB_STOCK
● /SCWM/D_WB_WT
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection .
13.9.3.5 Enterprise Services Security
For general information, see the chapters on Web Services Security in the SAP NetWeaver Security Guide and in
the SAP Process Integration Security Guide.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 43513.9.3.6 Other Security-Relevant Information
Security Aspects of Data Flow and Processes
The following table describes some typical processes and communication channels, along with appropriate
security measures:
Table 256:
Process Security Measure
Mobile devices can be connected using HTTP/ITS mobile (it is For more information, see Internet Communication Frame
also possible to use the SAP console). This is done based on work Security (ICF) [page 428].
the Internet Communication Framework (ICF) service for
RFUI.
For certain scenarios, such as connecting automated physical For more information, see the SAP NetWeaver Security Guide.
processes (for example, conveyor systems) using SAP Plant
Connectivity, remote function calls (RFCs) are used. Depend
ing on the scenario, Idocs may also be used (for example,
when warehouse control units are used).
Extended Warehouse Management (EWM) offers the possibil Ensure that only a few people can access these transactions
ity of uploading and downloading data. In many of these trans and that access to the application server file system is re
actions it is possible to either choose a local file system (PC) stricted. You should design logical paths and filenames to re
or files on the application server. strict the access. For more information, see Data Storage Se
curity [page 428].
EWM offers a collaborative scenario for SAP Dock Appoint In this scenario, users outside of the company or firewall may
ment Scheduling. This enables appointment planners for car access the system. For such scenarios, special attention must
riers to access the system using SAP Gateway or Web Dynpro be paid to assigning authorizations to these users, and to the
ABAP technology, for example, from outside the company system setup and how the access from outside the company
network. is granted.
EWM offers a scenario for Warehouse Billing where there is an In this scenario, EWM can extract billing-relevant information
integration with the SAP Transportation Management (SAP from SAP TM and send order and settlement information back
TM) system. to SAP TM. The communication is performed using enterprise
services or Web services.
EWM Fiori apps, for example, for deliveries or returns proc In this scenario, SAP Fiori accesses EWM using SAP Gateway.
essing. For more information, see SAP Library for SAP Fiori.
Security for Additional Applications
Geocoding
EWM can, in some cases, make use of third party geocoding applications, for example, PTV eServer. The software
could be used, for example, to calculate geographical information for the locations or distances for transportation
lanes. To connect to the third party software, this software may require an RFC destination on the EWM side. For
Security Guide for SAP S/4HANA 1709
436 P U B L I C SAP S/4HANA Business Applicationsmore information on geocoding, see SAP Library for SAP S/4HANA at https://help.sap.com/s4hana . In SAP
Library, choose SAP S/4HANA Enterprise Business Applications Supply Chain SCM Basis SCM Basis
Master Data Location . For any security issues regarding the third party application, for example, PTV eServer
software, see the third party documentation.
SAP Plant Connectivity for Scale Integration
EWM can, in some cases, integrate an external scale. The software could be used, for example, to calculate the
weight of a handling unit. A sample implementation exists for this in the Determination of HU Weight Using Scale
(/SCWM/EX_WRKC_UI_GET_WEIGHT) Business Add-In. In this example, the system uses SAP Plant Connectivity to
integrate an external scale. This software may require an RFC destination on the EWM side to connect to SAP
Plant Connectivity.
For information about SAP Plant Connectivity, see SAP Help Portal at https://help.sap.com/pco . For
information about security for SAP Plant Connectivity, see the security guide for SAP Plant Connectivity on SAP
Service Marketplace at https://service.sap.com/securityguides .
13.9.4 Deletion of Personal Data
Use
Location master data may contain personal data that is subject to the data protection laws applicable in specific
countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion of
personal data. For more information, see the product Assistance for SAP S/4HANA on the SAP Help Portal at
http://help.sap.com/s4hana_op_1709 Product Assistance Enterprise Business Applications Manufacturing
Production Planning and Detailed Scheduling Master Data Location Data Protection
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 437Relevant Application Objects and Available Deletion Functionality
Table 257:
Application Detailed Description Provided Deletion Functionality
SCM Location Without ILM You can run the report /SAPAPO/
DELETE_LOCATIONS from the SAP Easy
Access menu, under SAP Menu
Logistics SCM Extended Warehouse
Management SCM Basis Master Data
Location ; select the location, then
choose Extras Delete Location
ILM-enabled SCM Location Refer to What''s New for ILM-related In Destruction object /SCMB/LOC
formation for SCM Location
(SCMB_LOC) ILM object SCMB_LOC
Relevant Application Objects and Available EoP/WUC functionality
Table 258:
Application Implemented Solution (EoP or WUC) Further Information
SCM Location End of Purpose (EoP) check
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of location master data in Customizing for SCM
Extended Warehouse Management under SCM Basis Master Data Location Location Master Data
Deletion .
Security Guide for SAP S/4HANA 1709
438 P U B L I C SAP S/4HANA Business Applications13.9.5 Transportation Management
This section of the Operations Guide for SAP S/4HANA, on-premise edition contains information on operations
tasks specific to Transportation Management.
13.9.5.1 Security Aspects of Data, Data Flow and Processes
E-mail-Based Tendering Scenario
The figure below shows an overview of the e-mail based tendering scenario for Transportation Management (TM).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 439Figure 7: E-Mail-Based Tendering Scenario
Table 259: Steps for E-Mail Based Tendering Scenario
Step Description Security Measure
1 HTML e-mail is created via BCS and sent In Customizing for TM, the use of en
to SMTP server cryption and digital signatures needs to
be enabled. In Customizing for
Transportation Management, choose
Freight Order Management
Tendering Define General Settings for
Tendering 03 – E-mail and SMS
Content E-Mail Security Settings .
Security Guide for SAP S/4HANA 1709
440 P U B L I C SAP S/4HANA Business ApplicationsStep Description Security Measure
2 Proxy applies encryption and digital sig External secure e-mail proxy needs to be
nature to e-mail maintained and activated for the TM sys
tem. For more information, see SAP
Note 149926 . Keys must be ex
changed between the sender and recipi
ent prior to sending the e-mail. We highly
recommend that you set up the policy
for the e-mail proxy in such a way that e-
mails can be sent only if encryption and
digital signatures are enabled. If this is
not possible, for example, due to missing
keys, e-mails must not be sent in an in
secure way.
3 E-mail is decrypted and signature veri The e-mail client of the recipient must
fied for reading support encryption and digital signa
tures, and keys must have been ex
changed beforehand by the sender and
the recipient.
4 Reply is encrypted and signed and sent Refer to step 3
back to TM system
5 Proxy verifies signature and decrypts e- Refer to step 2
mail content
6 Decrypted and verified e-mail is proc Not applicable
essed
Recommendation
To access the TM system externally, we recommend that you define a system alias in the web dispatcher. The
web dispatcher redirects the request to the correct hostname and port so that an external user can use a
hyperlink, which contains the alias, to access the system.
You create a tendering notification e-mail in the TM system. The system sends this e-mail to the carrier with a
hyperlink to the carrier''s worklist in the TM system or in the TM collaboration portal. The hyperlink contains the
system alias instead of the physical hostname and port. To use the alias, ensure that you have implemented
SAP Note 1748036 or 1747651 , and SAP Note 1783590 . Subsequently, you need to specify the
following settings in the TM system:
1. Create an alias in transaction SM59.
2. In the Target Host field, enter the system alias as specified in the web dispatcher.
3. Enter the alias in the 03 E-Mail and SMS Content screen in Customizing for Transportation Management
under Freight Order Management Tendering Define General Settings for Tendering .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 441File Upload Scenario
The figure below shows an overview of the file upload scenario for TM.
Figure 8: File Upload Scenario
The table below shows the security aspects to be considered for the process step and what mechanism applies.
Table 260: Steps for File Upload Scenario
Step Description Security Measure
1 User inserts link to a file he or she wants User needs to be aware of the file he or
to upload she wants to upload
2 HTTPS request is forwarded and file is Not applicable
sent to server
Security Guide for SAP S/4HANA 1709
442 P U B L I C SAP S/4HANA Business ApplicationsStep Description Security Measure
3 File size is checked against system pa Maximum file size needs to be restricted
rameter icm/HTTP/ to secure the server; for more informa
max_request_size_KB; only the tion, see the Security Guide for SAP Net
amount of data specified is forwarded Weaver 7.5 on SAP Service Marketplace
at http://service.sap.com/securityguide
. In the Security Guide, choose
Security Guides for SAP NetWeaver
Functional Units Security Guides for
the Application Server Security Guides
for the AS ABAP Web Dynpro ABAP
Security Guide Security Notes for
FileUpload UI Elements .
4 MIME type of file is checked against The extension of the uploaded file (but
white list not its content) is checked against MIME
type white list; as a prerequisite for using
the white list, SAP Note 1514253
must be implemented.
5 File is checked by virus scan and request Virus scan needs to be active in your
only forwarded if scan is clear system. For more information, see SAP
Library for SAP NetWeaver 7.5 at http://
help.sap.com/nw . In SAP Library,
choose SAP NetWeaver SAP
NetWeaver Library: Function-Oriented
View Security Security Developer
Documentation Secure Programming
Secure Programming – Java Secure
Programming SAP Virus Scan
Interface . We strongly recommend
that you create a virus scan profile with
linkage type All steps successful.
6 File is stored in database Not applicable
7 Information is sent back to user Not applicable
Caution
Only file extensions are compared to the entries in the white list, not the content of the files.
The file upload function can be disabled to prevent users from uploading files to your system. To disable the file
upload function, you must implement SAP Note 1514253 . We recommend that you disable the upload
function if it is not required by your business scenarios.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 443Always ensure that your virus scan is set up and working correctly before enabling file uploads. If your virus
scan is not up and running, do not use the file upload.
For information about uploading TACT rates to TM, see SAP Library for TM at http://help.sap.com/tm . In SAP
Library for TM, choose Master Data Charge Management and Service Product Catalogs Setup of Service
Product Catalogs and Charge Management MD TACT Rates TACT Rate Upload .
13.9.5.2 Authorizations
Transportation Management (TM) uses the authorization concept provided by the SAP NetWeaver AS ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application
Server ABAP Security Guide, Java Security Guide, and ABAP and Java Security Guides also apply to TM.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console for the AS Java.
Role and Authorization Concept for SAP Transportation Management 9.4
Standard roles and authorization objects are delivered with TM. For more information about the standard roles
and authorization objects and how to use them, see the following section.
Standard Roles
TM contains standard roles that you must copy to create your own roles. For each of the standard roles, a set of
predefined authorization proposals is delivered. Since it is not possible to predefine all authorization values (these
will strongly depend on your specific business and scenarios), you will have to add any missing data to the
proposed authorization values. In some cases, you may have to change the proposed values to your own values.
Caution
We strongly recommend that you always check the delivered authorization proposals carefully.
The list below shows the standard roles that can be used to copy in TM.
● /SCMTMS/BOOKING_AGENT
● /SCMTMS/CAPACITY_MANAGER
● /SCMTMS/CARRIER_SETTLEMENT_SP
● /SCMTMS/CUSTOMER_SERVICE_AGENT
● /SCMTMS/CUSTOMER_SETTLEMENT_SP
● /SCMTMS/DISPATCHER
Security Guide for SAP S/4HANA 1709
444 P U B L I C SAP S/4HANA Business Applications● /SCMTMS/DISPLAY
● /SCMTMS/FREIGHT_CONTRACT_SPEC
● /SCMTMS/PLANNER
● /SCMTMS/SERVICE_PROVIDER
● /SCMTMS/TRANSPORTATION_MGR_V2
● /SCMTMS/PROCESS_ADMINISTRATOR
● /SCMTMS/CAPACITY_MANAGER
● /SCMTMS/COLL_PORTAL
● /TMUI/COLL_PORTAL
● /TMUI/COLL_PORTAL_DEMO
Recommendation
The role /SCMTMS/DISPLAY is designed for an auditor who is able to view all content in a system. For example,
master data and transactional data, such as business documents. The role is not allowed to change any data.
The role can be assigned to users who conduct security or financial audits.
For more information, see SAP Library for SAP Transportation Management 9.4 on SAP Help Portal at http://
help.sap.com/transportationmanagement94 . In SAP Library, choose Basic Functions Roles .
Standard Authorization Objects
For TM, there are two kinds of authorization objects:
● Static checks of the technical business objects along with their nodes and actions, or of organizational data
objects
● Instance-based authorization objects, with which you can check authorization for the specified business
documents or other objects, depending on business-relevant data such as organization information
For instance-based authorization checks, there are two basic concepts. First, you can define authorization values
based on identifiers for all profiles or other objects that cannot be classified any further by specific types, but only
depending on their identifier. Second, you can define authorization values based on category, type, and further
characteristics such as organizational data that can classify business documents beyond their identifier.
Besides the standard activities that can be defined for each authorization object for authorization field ACTVT, you
can also define whole groups of activities for several authorization actions as an activity area. This means that you
can define a distinct activity area, thereby allowing or preventing a whole set of actions related to this area. For
example, you do not have to define all actions relating to subcontracting activities separately for a role, but only to
define the activity area for subcontracting.
For information about authorizations in TM, see SAP Library for TM on SAP Help Portal at http://help.sap.com/
transportationmanagement94 . In SAP Library, choose Basic Functions Authorizations .
If you want to display the authorization objects in TM, on the SAP Easy Access screen, choose Tools ABAP
Workbench Development Other Tools Authorization Objects Objects and open object class SCTS.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 445Note
You can also create your own authorization objects and implement the corresponding checks in BAdIs
Authorization Check and Data Retrieval Before Authorization Check.
For more information, see Customizing for Transportation Management under Business Add-Ins (BAdIs) for
Transportation Management Basic Functions Authorizations .
In TM, you have a special permission object T_TM_ALL. System users who run batch jobs can use this permission
object. To use this permission object, you must have all application specific permissions. Note that if you maintain
this object in a certain role, all other TM permission objects will not be checked for this role anymore.
The table below shows the security-relevant authorization objects from other components that are used by TM.
The list does not include basis authorization objects used for central functions or administration.
Table 261: Standard Non-TM Authorization Objects
Authorization Object Field Value Description
SAP SCM Basis 7.0
/SCMB/PESL ACTVT, USER (06) Delete Define Planning Service Man
ager (PSM) Selection. The au
(34) Write
thorization object enables the
In the USER field, you can en specified user to save and de
ter the user for which you lete his or her selections.
want to execute the activities
in the ACTVT field.
/SCTM/SCU /SCMB/SCU ACTVT Use of supply chain units in
routes.
C_MD_SCU /SCMB/SCU, ACTVT
Business Context Viewer
BCV_USAGE ACTVT (70) Administer (US) Business Context Viewer us
age
BCV_PERS ACTVT Personalize BCV User Inter
BCV_CTXKEY face for Query View
BCV_QRYVID
Business Rules Framework
FDT_OBJECT FDT_ACT You use this authorization ob
FDT_APPL ject to control usage of ob
jects of the specified type in
FDT_OBJTYP BRFplus.
Security Guide for SAP S/4HANA 1709
446 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
FDT_WORKB FDT_WB_ACT This authorization object con
trols whether a user is author
ized to use the BRFplus work
bench and its tools.
APO
C_APO_DEF ACTVT, APO_PLNR, (01) Create or generate APO Authorization Object:
APO_DEFT, APO_DEFN Master Data, Resource Defini
(02) Change
tions
(03) Display
(06) Delete
C_APO_LOC ACTVT, APO_LOC (01) Create or generate APO Authorization Object:
Master Data, Locations
(02) Change
(03) Display
(06) Delete
(16) Execute
(32) Save
C_APO_PROD ACTVT, APO_LOC, APO_PROD (01) Create or generate APO Authorization Object:
Master Data, Products
(02) Change
(03) Display
(06) Delete
(16) Execute
C_APO_RES ACTVT, APO_PLNR, APO_LOC, (01) Create or generate APO Authorization Object:
APO_RES Master Data, Resources
(02) Change
(03) Display
(06) Delete
(16) Execute
EH&S
C_EHSP_TPP ACTVT, LANGUAGE, (02) Change This authorization is checked
ESECATPIN, ESEPHRGRP, in the transactions for phrase
(03) Display
PPSTAT management for entry into
the hit list.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 447Authorization Object Field Value Description
C_SHEP_TPG ACTVT, ESECATPIN, (01) Create or generate This authorization object is
ESEPHRGRP checked in the phrase man
(02) Change
agement transactions when
(03) Display entering and leaving the hit
(59) Distribute list. The activities “change”
and “display” are also
checked here.
M_MATE_DGM ACTVT (01) Create or generate Using the authorization object
M_MATE_DGM, you can pre
(02) Change
vent dangerous goods master
(03) Display data from being displayed or
(06) Delete edited.
(61) Export
(82) Supplement
Formula & Derivation Tool
FDT_OBJECT FDT_APPL, FDT_OBJTYP, (1) Create You use this authorization ob
FDT_ACT ject to control the authoriza
(2) Change
tion to display, create,
(3) Display change, or delete objects in
(4) Delete the Formula & Derivation Tool
(including functions, expres
(5) Activate sions, expression types, fil
ters, and applications).
Human Resources
PLOG PLVAR, OTYPE, INFOTYP, Not applicable The present object is used by
SUBTYP, ISTAT, PPFCODE the authorization check for
PD data.
SAP SCM Optimizer
S_RFC ACTVT, RFC_NAME, RFC_TYPE (16) Execute Required authorization to
start the SAP SCM Optimizer
and use most of the adminis
trator transactions.
SAP Event Management
X_EM_EH ACTVT, /SAPTRX/PN, / (03) Display Event handler authorization
SAPTRX/PV
(10) Post
Security Guide for SAP S/4HANA 1709
448 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
X_EM_EH_CH ACTVT, /SAPTRX/SO (01) Create or generate Event handler changes
(02) Change
(05) Lock
(06) Delete
(63) Activate
(95) Unlock
X_EM_EVM ACTVT, /SAPTRX/CS, / (32) Save the sender code set Event messages
SAPTRX/CD and sender code ID
Cross-Application Authorization Objects
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 449Authorization Object Field Value Description
CA_POWL POWL_APPID, POWL_QUERY, POWL_QUERY: Specifies the authorities for
POWL_CAT, POWL_LSEL, Personal Object Worklist
(01) Users are allowed to cre
POWL_TABLE, POWL_RA_AL (POWL) iViews
ate, change, and delete their
own queries for all POWL ob
ject types assigned to them
(compare with Customizing
tables POWL_TYPE_USR and
POWL_TYPE_ROL).
(02) Users are only allowed to
create their own queries on
the basis of admin queries as
signed to them in Customiz
ing tables POWL_QUERY_USR
and POWL_QUERY_ROL re
spectively. (Note: this is also
subject to the user – POWL
object type assignments.)
(03) (and other values):
Users are only allowed to
change admin queries as
signed to them with respect
to the select options restric
tions of those admin queries
(thus creating a separate
“derivation” for each admin
query transparently)
POWL_CAT:
(01) Users are allowed to cre
ate, change, and delete their
own categories and assign
queries to them.
(02) Users are only allowed to
assign queries to the existing
categories and change the or
der of queries.
(03) (and other values):
Users are not allowed to reas
sign queries or change the
query order. Note: if field
POWL_QUERY is set to 01 or
03, setting POWL_CAT to 03 is
not advisable. Therefore, the
Security Guide for SAP S/4HANA 1709
450 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
value is implicitly set to 02 in
this case.
S_SERVICE SRV_NAME, SRV_TYPE This authorization object is
automatically checked when
external services are started.
This is required for Gateway
Services used by the TM Col
laboration Portal
S_RFCACL RFC_SYSID, (16) Execute Authorization check for RFC
RFC_CLIENT,RFC_USER, users, especially for trusted
RFC_EQUSER, RFC_TCODE, systems. This is required for
RFC_INFO,ACTVT Gateway Services used by the
TM Collaboration Portal.
S_WFAR_OBJ ACTVT (01) Create or generate This authorization object is
OAARCHIV used to control access to ar
chived documents.
OADOKUMENT
OAOBJEKTE
S_ARCHIVE ACTVT This authorization object is
APPLIC used in SAP archiving pro
grams to protect the access
ARCH_OBJ to archive files
B_BUPA_RLT ACTVT With this authorization object
RLTYP you define which BP roles can
be edited.
B_BUPR_BZT ACTVT With this authorization object
RELTYP you establish which relation
ship categories can be proc
essed.
S_DATASET ACTVT You use this object to assign
FILENAME authorizations for accessing
operating system files.
PROGRAM
S_WF_WI TASK_CLASS Authorization object for work
WFACTVT ing with work items in SAP
Business Workflow
WI_TYPE
S_SCD0 ACTVT
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 451Recommendation
To segregate duties using roles and authorization values in TM, we recommend that you restrict the
authorizations of the different roles to the business-related minimum.
With the authorization concept provided by TM, you can restrict authorization based on business document
categories, such as Freight Order or Freight Booking, or on business document types, which you can create for
the supplied business document categories. Furthermore, all critical business-related activities can be
restricted for the different roles. These activities include creating business documents, displaying business
documents or master data, triggering charge calculations, subcontracting freight documents, requesting
customs declarations, and others activities or activity areas for the authorization objects of object class SCTS.
Duties can, therefore, be segregated according to your business and scenarios.
Note that we do not recommend providing one role with full authorization for a business document or process,
so that one role cannot be used, for example, to create and maintain a business document, add charge data to
it, send it to a business partner, and create the invoice for that document. Such activities should be spread over
different roles.
In addition, one user must not be assigned to different roles that would provide full authorization for a business
document or process as described above.
Note
If your scenario contains an approval workflow process, you need to create or maintain user WF-BATCH
accordingly.
For general information about creating and maintaining the WF-BATCH user, see SAP Note 1251255 .
As described in SAP Note 1251255 , you need to also assign a role used for TM to user WF-BATCH. Depending
on your specific scenario, this could be a role created according to role template /SCMTMS/
TRANSPORTATION_MGR_V2, but this can also differ according to your business scenario.
13.9.5.3 Deletion of Personal Data
Use
Transportation Management (TM) might process data (personal data) that is subject to the data protection laws
applicable in specific countries as described in SAP Note 1825544 .
For more information see also the specific notes for TM:
● 2149395 – Deletion and Blocking of cBP in TM
● 2149396 – Simplified Data Deletion based on SAP ILM in TM
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. TM uses SAP ILM to support the deletion of personal data as
described in the following sections.
Security Guide for SAP S/4HANA 1709
452 P U B L I C SAP S/4HANA Business ApplicationsSAP delivers an end of purpose check for business partners and locations in TM using a two-step approach:
1. The system fills a new data base table with the Start of Retention Time (SoRT) information per business
partner or location business object and application rule variant as soon as a ’completed’ document is saved.
2. The system uses the EoP check to decide whether a business partner or location can be blocked. During the
EoP check, the system determines the SoRT information relevant for that business partner or location from
the database table containing the SoRT information. The SoRT information is required to determine the
relevant ILM policies and to calculate the correct end-of-purpose time depending on the defined ILM policies.
For more information see http://help.sap.com/transportationmanagement94 Transportation Management
Application Help Transportation Management Basic Functions Blocking and Deletion of Personal Data in
TM End-of-Purpose Framework
SAP delivers a where-used check (WUC) for business partners and locations in TM including master data objects
such as transportation charge rates, transportation charge scales, locations, and resources.
TM registers an EoP check in the Customizing settings for the blocking and deletion of business partners and
locations and in addition provides a WUC for business partners and locations. For information about the
Customizing of blocking and deletion for TM, see below, Configuration: Simplified Blocking and Deletion.
Features
End of Purpose (EoP) Check
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases.
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked.
Blocking of data prevents the business users of SAP applications from displaying and using data that may
include personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display personal data of a blocked business partner or location.
● Change: It is not possible to change a completed business document that contains a blocked business partner
or location.
● Create: It is not possible to create a business document using a blocked business partner or location. As soon
as a blocked business partner or location is entered, the system raises a suitable error message.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: The system does not display blocked data in the result list of search helps. The same is true for
technical queries based on the business object for business partner /SCMTMS/BUPA and the business object
for locations (/SCMTMS/LOCATION).
It is possible to display blocked data if a user has special authorization (SAP_CA_BP_DP_ADMIN). However, it is
still not possible to create, change, copy, or perform follow-up activities on blocked data.
Relevant Application Objects and Available EoP functionality
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 453Table 262:
Application Implemented solution (EoP or WUC) Further information
TM End of Purpose Check (EoP) The End of Purpose check (EoP) for
business partners includes the following
EoP Function Module:
business objects:
/SCMTMS/DPP_EOP_CHECK
● /SCMTMS/BUS_SHARE
● /SCMTMS/CUSTFREIGHTINVREQ
● /SCMTMS/FREIGHTAGREEEMENT
● /SCMTMS/SUPPFREIGHTINVREQ
● /SCMTMS/TOR
● /SCMTMS/TRQ
● /SCMTMS/TAL
● /SCMTMS/WAYBILLNO
The End of Purpose check (EoP) for lo
cations includes the following business
objects
● /SCMTMS/CUSTFREIGHTINVREQ
● /SCMTMS/SUPPFREIGHTINVREQ
● /SCMTMS/TOR
● /SCMTMS/TRQ
TM Where-Used-Check (WUC) In addition to the business objects han
dled in the EoP Check, the Where-Used
Check (WUC) for business partners in
cludes also master data objects such as:
● Transportation Charge Calculation
Sheets
● Transportation Charge Rates
● Transportation Charge Scales
● Locations
● Resources
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA) or location . (ILM object SCMB_LOC).
○ Run transaction IRMPOL and maintain the required retention policies for the ILM objects of TM.
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
3. To determine which business partners or locations have reached end of purpose and can be blocked, you do
the following, if you have the necessary authorization:
○ Run transaction BUPA_PRE_EOP to execute the end of purpose check function for the central business
partner.
Security Guide for SAP S/4HANA 1709
454 P U B L I C SAP S/4HANA Business Applications○ Run transaction /SCMB/LOC_PRE_EOP to execute the end of purpose check function for the location.
4. To unblock blocked business partner or location data, you do the following, if you have the necessary
authorization:
○ Request unblocking of blocked business partner data by using the transaction BUP_REQ_UNBLK.
○ You can unblock the requested data by running the transaction BUPA_PRE_EOP.
○ For unblocking location data you can run the transaction /SCMB/LOC_UNBLOCK_MD.
5. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of TM.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of data in Customizing for Cross-Application
Components under Data Protection.
● Define the settings for authorization management under Data Protection Authorization Management .
For more information, see the Customizing documentation.
● Define the settings for blocking in Customizing for.
○ Business Partner
Cross-Application Components under Data Protection Blocking and Unblocking Business Partner
○ Location
Transportation Management Master Data Transportation Network Location Location Master
Deletion
● Define the Customizing settings for TM. For more information see http://help.sap.com/tm
Transportation Management Application Help Transportation Management (TM) Basic
Functions Blocking and Deletion of Personal Data in TM Customizing Settings for Data Protection and
Privacy
13.9.5.4 Security-Relevant Logging and Tracing
SAP systems have a variety of logs for system administration, monitoring, problem solving, and auditing
purposes. Audits and logs are important for monitoring the security of your system and to track events, in case of
problems.
Note
Auditing and logging for Netweaver component is described in detail in the NetWeaver Security Guide. For more
information, see http://help.sap.com/nw75 . Choose Security Guide Security Aspects for Lifecycle
Management Auditing and Logging .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 455Security Audit Log Triggered by Virus Scan Interface (VSI)
Class CL_VSI automatically creates entries in the Security Audit Log for infections and scan errors found,
together with the following information:
● Profile
● Profile step allowing the detection of the scanner-group
● Kind of virus found, with internal virus ID of the scan engine, if available
● User name and timestamp
The messages logged are located in message class VSCAN using system log messages BU8 and BU9 (created in
transaction SE92). The severities are set to High and Medium respectively. The severity of the audit class is set to
Miscellaneous.
For more information, see Customizing for SAP Supply Chain Management under SAP Web Application Server
System Administration Virus Scan Interface .
Audit Information System (AIS)
Information about auditing and logging for the Audit Information System (AIS) is described in detail in the SAP
NetWeaver 7.5 Security Guide.
For more information, see The Audit Info System (AIS) at http://help.sap.com/nw75 . Choose Security Guide
Security Aspects for Lifecycle Management Auditing and Logging The Audit Info System (AIS)
For more information about security logs for the SAP Gateway, see Logging in SAP Gateway section of the SAP
Gateway Developer Guide for SAP Gateway SP06.
Transportation Management (TM)
Tracing and Logging of Business Objects
In TM, you can log messages raised by business objects in the application log.
In the standard system, logging is deactivated. To activate logging, in Customizing for Transportation
Management, choose Basic Functions User Interface Define Message Settings (note that this has negative
impact on overall system performance; this is why SAP recommends to switch on logging only when required).
To access the application log, on the SAP Easy Access or in SAP NetWeaver Business Client screen, choose
Application Administration Application Log: Display Logs . Alternatively, call transaction SLG1.
For more information, see Application Logging under Logging of Specific Activities in the SAP NetWeaver 7.5
Security Guide on SAP Help at http://help.sap.com/nw .
Activating Change Documents
In TM, you can activate change documents to log changes to master data, business objects, and so on.
Security Guide for SAP S/4HANA 1709
456 P U B L I C SAP S/4HANA Business ApplicationsYou must activate change documents in Customizing before the system can store them. For information about
the objects for which you can activate change documents and where to activate them, see the corresponding
section in the TM documentation:
Table 263:
Object Customizing Path
Location Transportation Management Master Data
Transportation Network Location Activate Change
Documents
Transportation lane Transportation Management Master Data
Transportation Network Transportation Lane Activate
Change Documents
Product SCM Basis Master Data Product Activate Change
Documents
Freight unit Transportation Management Planning Freight Unit
Define Freight Unit Types (Track Changes checkbox)
Freight order Transportation Management Freight Order Management
Freight Order Define Freight Order Types (Track
Changes checkbox)
Freight booking Transportation Management Freight Order Management
Freight Booking Define Freight Booking Types (Track
Changes checkbox)
Freight agreement Transportation Management Master Data Agreements
and Service Products Define Freight Agreement Types
(Track Changes checkbox).
Forwarding agreement Transportation Management Master Data Agreements
and Service Products Define FWA and Service Product
Catalog Types (Track Changes checkbox).
Forwarding order Transportation Management Forwarding Order
Management Forwarding Order Define Forwarding Order
Types (Track Changes checkbox).
Forwarding quotation Transportation Management Forwarding Order
Management Forwarding Quotation Define Forwarding
Quotation Types (Track Changes checkbox).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 457Object Customizing Path
Forwarding settlement Transportation Management Settlement Forwarding
Settlement Define Forwarding Settlement Document
Types (Track Changes checkbox).
Freight settlement Transportation Management Settlement Freight
Settlement Define Freight Settlement Document Types
(Track Changes checkbox).
Order-based transportation requirement Transportation Management Integration ERP Logistics
Integration Order-Based Transportation Requirement
Define Order-Based Transportation Requirement Types
(Track Changes checkbox).
Delivery-based transportation requirement Transportation Management Integration ERP Logistics
Integration Delivery-Based Transportation Requirement
Define Delivery-Based Transportation Requirement Types
Service order Transportation Management Freight Order Management
Service Order Define Service Order Types (Track
Changes checkbox).
SAP SCM Optimizer
For information about the trace and log files for the SAP SCM Optimizer, see the SAP SCM 7.0 Component
Security Guide on SAP Service Marketplace at http://service.sap.com/securityguide .
For more information about the logging and tracing mechanisms from SAP NetWeaver, go to http://
help.sap.com/nw75 . Choose Security Guide Security Aspects for Lifecycle Management Auditing and
Logging .
13.10 Analytics Technology
Security Guide for SAP S/4HANA 1709
458 P U B L I C SAP S/4HANA Business Applications13.10.1 Process Performance Monitoring
13.10.1.1 Process Observer
13.10.1.1.1 Roles for Process Observer
Process Observer uses the authorization concept provided by the SAP NetWeaver for Application Server ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
SAP delivers the following standard roles for Process Observer. You can use these roles as a template for your
own roles.
Table 264:
Role Description
Administration (SAP_POC_ADMINISTRATION) This single role contains all the functions that you need to set
up process monitoring:
● Maintain Customizing
● Implement tracing in the application
● Schedule jobs
● Delete log entries and execute mass deletion of log en
tries
● Update the master registry
● Carry out configuration activities
Define Process (SAP_POC_MODEL) This single role contains all the functions that you need to cre
ate a process definition:
● Define a process
● Define BRFplus rules
● Create a process simulation
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 459Role Description
View Process (SAP_POC_MONITOR) This single role contains all the functions that you need to view
process details in the Process Monitor SAP GUI screen:
● Display process details
Analytics (SAP_POC_ANALYTICS) This single role contains all the functions that you need to ac
cess the process-monitoring-relevant analytics content in the
SAP Business Information Warehouse:
● Display analytics information
Launchpad for Order to Cash Dashboard This single role contains all the functions required to launch
(SAP_BW_POC_O2C_ANALYTICS) the Dashboard for O2C Scenario.
Side Panel for Process Observer Data (SAP_POC_SIDEPANEL) This single role enables the user to see Process Observer data
for standard transactions such as display sales order, display
enquiry etc in a sidepanel using SAP Business Client.
Administration (SAP_POC_ADMIN) This composite role contains all the functions that you need to
set up process monitoring.
Business Process Expert (SAP_POC_BPX) This composite role contains all the functions that you need,
as a business process expert, to set up process definitions:
● Define a process
● Define BRFplus rules
● Create a process simulation
● Display process details
Standard Authorization Object
The basis for all roles used for data security for Process Observer is the authorization object POC_AUTH.
13.11 Enterprise Technology
Security Guide for SAP S/4HANA 1709
460 P U B L I C SAP S/4HANA Business Applications13.11.1 Central Master Data
13.11.1.1 Authorizations and Roles used by Central Master Data
The Central Master Data uses the authorization concept provided by the SAP NetWeaver AS for ABAP or AS Java.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 265:
Role Description
SAP_BR_BUPA_MASTER_SPECIALIST Master Data Specialist - Business Partner Data
SAP_BR_PRODMASTER_SPECIALIST Master Data Specialist - Product Data
SAP_BR_BPC_EXPERT Configuration Expert - Business Process Configuration
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 266:
Authorization Object Description
B_BUPA_GRP Business Partner: Authorization Groups
B_BUPA_RLT Business Partner: BP Roles
B_BUPA_BZT Business Partner Relationships: Relationship Categories
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 461Authorization Object Description
F_KNA1_APP Customer: Application Authorization
F_KNA1_BED Customer: Account Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
F_KNA1_GEN Customer: Central Data
F_KNA1_GRP Customer: Account Group Authorization
V_KNA1_BRG Customer: Account Authorization for Sales Areas
V_KNA1_VKO Customer: Authorization for Sales Organizations
F_LFA1_APP Supplier: Application Authorization
F_LFA1_BEK Supplier: Account Authorization
F_LFA1_BUK Supplier: Authorization for Company Codes
F_LFA1_GEN Supplier: Central Data
F_LFA1_GRP Supplier: Account Group Authorization
M_LFM1_EKO Purchasing Organization in Supplier Master Record
13.11.1.2 Deletion of Personal Data
Use
The Central Master Data might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP
Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Relevant Application Objects and Available Deletion Functionality
Table 267:
Application Provided Deletion Functionality
Business Partner/Customer/Supplier ILM_DESTRUCTION
Security Guide for SAP S/4HANA 1709
462 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available EoP functionality
Table 268:
Application Implemented Solution (EoP or WUC) Further Information
Business Partner/Customer/Supplier EoP check EoP is determined based on the last
change date of the business partner/
customer/supplier master data.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner/customer/supplier master
data in Customizing for Cross-Application Components→Data Protection.
13.11.2 Specific Read Access Log Configurations
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions.
SAP delivers sample configurations for applications.
The supplier master data display and maintain log data in order to track the disclosure of the supplier minority
indicator. You can find the configurations as described in the Read Access Logging chapter.
In the following configurations, fields are logged in combination with additional fields, in the following business
contexts:
Table 269:
Configuration Fields Logged Business Context
VEND_MINDK LFB1-MINDK Log access to minority indicator only if
all fields are shown together.
LFB1-LIFNR
LFB1-BUKRS
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 46313.11.3 Legal Content Management
13.11.3.1 Authorizations and Roles Used by Legal Content
Management
Legal Content Management uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 270:
Role Description
SAP_BR_ADMINISTRATOR_LCM Administrator - Legal Content Management
SAP_BR_EMPLOYEE_LEGAL_CONTENT Employee - Legal Content Management
SAP_BR_LEGAL_COUNSEL Legal Counsel
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Authorization Object Description
LCM_GEN General Activities
LCM_CTXADM Auth. Obj. for Task in LCM Context Admin. actions
Security Guide for SAP S/4HANA 1709
464 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
LCM_CTXCAT Auth. Obj. for Category in LCM Context
LCMDOCSTMP Auth. object for Stamps in LCM Document
LCMSTMPACT Auth. object for Stamp activities in LCM Document
LCM_DOCACT Auth. object for LCM Document header
LCM_LTACT Auth. Obj. for Task in LCM Legal Transaction Actions
LCM_LTCAT Auth. Obj. for Category in LCM Legal Transaction
LCM_LTENCC Auth. Obj. for Company Code in Legal Transaction
LCM_LTENPO Auth. Obj. for Purchasing organization in Legal transaction
LCM_LTENSO Auth. Obj. for Sales Organization in Legal Transaction
13.11.3.2 Blocking of Personal Data
The Legal Content Management applications might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 under Product Assistance Cross
Components Data Protection .
For Legal Content Management, data protection and privacy (DPP) is implemented for the following data:
● Entity types Customer and Supplier
● External contact type Business Partner
The DPP checks are enabled in DCL files which inherit the authorization of the respective standard DCL files. If the
user uses in a legal transaction the value help for a customer, supplier or business partner, the DCL authorization
check is executed and the blocked data is filtered out from the list that is shown in the value help. If the user
enters a customer, supplier or business partner directly, without using the value help, the Business Object
Processing Framework (BOPF) validation methods check the data against the CDS views and the blocked data is
not displayed.
The same logic is applied in the API. If an API call creates or updates data for a legal transaction, the BOPF
validation is is done based on the DPP authorization checks.
The following field indicates if the legal transaction is blocked:
● IsBusinessPurposeCompleted - if set to X (true)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 465End of Purpose Check
The End of Purpose (EoP) check identifies if all business applications have completed their purpose in use of
master data, so that it can be later blocked. Basically, the check is performed to see if a master data (customer,
supplier or business partner) can be blocked. In Legal Content Management (LCM), the EoP check is reached
when the legal transaction has reached one of the following status:
● Cancelled
● Terminated
● Expired
The central EoP check report calls the LCM modules to check if any business data is in use. And the LCM module
checks the data in legal transaction and returns the respective status back. Whether or not the customer, supplier
or business partner is blocked, is determined based on the following scenarios, which can coexist in the same
installation:
LCM determines the EoP: The business logic is hosted in LCM and as long as any of the data is still in use, it cannot
be removed or blocked.
Configuration
You configure the settings related to the blocking and deletion of customer, supplier, and business partner master
data in Customizing under Cross Application Components Data Protection Blocking and Unblocking of Data
Business Partner . For more information, see the documentation of the respective Customizing activities.
The application name for the EoP check is LCM-LT. You need to configure the blocking for the following objects:
Object Type EoP Check Object
Legal Transaction External contact type / Business LCM_LEGALTR_BUPA_EOP_CHECK
partner
Legal Transaction Entity type / Customer or supplier CL_LCM_LEGALTR_CVP_EOP_CHEC
K
13.11.4 Geographical Enablement Framework
13.11.4.1 Authorizations
The framework uses the authorization concept provided by the SAP NetWeaver Application Server for ABAP and
SAP HANA Platform. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver Application Server, ABAP Security Guide and HANA platform also apply to SAP Geographical
Enablement Framework. The SAP authorization concept is based on assigning authorizations to users based on
roles. For role maintenance in application server ABAP (AS ABAP), use the profile generator transaction PFCG in
the backend system.
Security Guide for SAP S/4HANA 1709
466 P U B L I C SAP S/4HANA Business ApplicationsStandard Roles
The table below provides the standard roles that are used by the framework.
Table 271:
Roles Description
sap.gef.data::gef_user Delivered in SAP HANA DU for the SAP Geographical Enable
ment Framework; it provides basic authorization to access the
framework schema in SAP HANA (SAP_GEF). You can assign
this role to SAP_GEF_USER or other reference users that are
created.
sap.gef.data::gef_admin In addition to all the authorizations provided in the gef_user
role, this admin role provides advanced authorizations for ad
ministrative tasks.
For AS ABAP, the PFCG role template, SAP_GEF_USR is delivered. This template provides basic authorizations for
the framework. Other authorization roles, if needed for accessing application data, need to be added to create
PFCG roles for consuming the framework services.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 272:
Authorization Object Field Value
G_GEF_GEOM GEF_BO_ID Business Object ID
GEF_CONTXT Geometry Context ID
ACTVT Activity
13.11.4.2 Internet Communication Framework Security (ICF)
You should only activate the services that are needed for the applications running in your system. For this area the
following services are needed:
● /default_host/sap/ca/GEF/arcgis/rest/services
In this path, the framework can provide services that conform to the specifications of different GIS service
providers, if a custom GIS plug-in is developed and customized. For more information, see the Application
Implementation section in the Geographical Enablement Framework documentation.
● /default_host/sap/ca/GEF/rest/config
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 467In this path, the framework provides configuration information. This service is independent from any GIS
service providers.
● /default_host/sap/bc/ui5_ui5/sap/gef_ui
The UI (Geometry Explorer and Geometry Editor) has been delivered to work with our framework. The UI
starts from this path.
Use transaction SICF to activate these services.
If your firewall(s) uses URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.11.4.3 Data Protection and Privacy
The SAP Geographical Enablement Framework does not collect, store, or process users'' personal data. However,
applications built on it may. Therefore, SAP recommends activating secure session management. We also
recommend that you use SSL to protect the network communications where these security-relevant cookies are
transferred.
Read access logging (RAL) monitors and logs read access to sensitive data, if any. It is required for applications to
comply with legal regulations or public standards such as data privacy. In most cases, applications rely on the
underlying business suite to save sensitive data. Therefore, it is also recommended to refer to the documents of
the underlying platforms and activate the RAL based on the needs.
13.11.4.4 Enterprise Services Security
A technical limitation (tracked in security message 1670119508) has been identified; not all the user controlled
inputs are sufficiently validated or encoded. This may cause security issues like Cross-Site Scripting (XSS).
This issue has been investigated and a solution is being implemented at this time. Contact SAP for the availability
of this solution.
13.11.5 Master Data Governance
13.11.5.1 Authorization Objects and Roles Used by SAP MDG,
Consolidation and Mass Processing
Authorization Objects
SAP MDG, consolidation and mass processing uses the authorization objects listed below.
Security Guide for SAP S/4HANA 1709
468 P U B L I C SAP S/4HANA Business ApplicationsTable 273:
Authorization Object Description
MDC_PROOT [page 471] Consolidation Root Permissions
MDC_PFILT [page 472] Consolidation Cluster Permissions
MDC_MASS [page 472] Mass Update Permissions
MDC_ADMIN [page 473] Administrative permissions
MDC_LOAD [page 474] Load Permissions
MDC_MASSBS [page 475] Mass Maintenance Permissions
B_BUPA_RLT Business Partner: BP Roles
B_BUPA_GRP Business Partner: Authorization Groups
S_BGRFC Authorization Object for NW bgRFC
M_MATE_MAR Material Master: Material Types
M_MATE_MAT Material Master: Materials
M_MATE_WGR Material Master: Material Groups
B_BUPR_BZT Business Partner Relationships: Relationship Categories
C_KLAH_BKL Authorization for Classification
C_TCLA_BKA Authorization for Class Types
C_TCLS_BER Authorization for Org. Areas in Classification System
C_TCLS_MNT Authorization for Characteristics of Org. Area
F_KNA1_BED Customer: Account Authorization
F_KNA1_GEN Customer: Central Data
F_LFA1_BEK Vendor: Account Authorization
F_LFA1_GEN Vendor: Central Data
Caution
To use SAP MDG, consolidation and mass processing in combination with the functions of SAP MDG, central
governance, see the required authorization objects in the documents listed below:
● Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476]
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 478]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 479]
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 469● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 481]
● Master Data Governance for Material (CA-MDG-APP-MM) [page 484]
Standard Roles
Table 274:
Frontend Launchpad Role Name
SAP_BR_BUPA_MASTER_SPECIALIST Master Data Specialist - Business Partner Data
SAP_BR_PRODMASTER_SPECIALIST Master Data Specialist - Product Data
SAP_BR_BPC_EXPERT Configuration Expert - Business Process Configuration
Table 275:
Backend Authorization Role Name
SAP_MD_MDC_ADMIN_APP_04 MDG, Consolidation and Mass Processing: Administrator
SAP_MD_MDC_DISP_BP_APP_04 MDG, Consolidation and Mass Processing: Business Partner
Display
SAP_MD_MDC_SPEC_BP_APP_04 MDG, Consolidation and Mass Processing: Business Partner
Special
SAP_MD_MDC_DISP_BP_NOBS_APP_04 MDG, Consolidation and Mass Processing: Business Partner
Non-SAP
SAP_MD_MDC_SPEC_BP_NOBS_APP_04 MDG, Consolidation and Mass Processing: Business Partner
Non-SAP
SAP_MD_MDC_DISP_MM_APP_04 MDG, Consolidation and Mass Processing: Material Display
SAP_MD_MDC_SPEC_MM_APP_04 MDG, Consolidation and Mass Processing: Material Specialist
SAP_MD_MDC_ADM_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects
Administrator
SAP_MD_MDC_DISP_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects
Displaycustomer
SAP_MD_MDC_SPEC_CUSTOBJ_APP_04 MDG, Consolidation and Mass Processing: Custom Objects
Specialist
Security Guide for SAP S/4HANA 1709
470 P U B L I C SAP S/4HANA Business Applications13.11.5.1.1 MDC_PROOT
Use
This document describes details of the authorization object MDC_PROOT.
Features
The activities listed below are assigned to the authorization object.
Table 276:
Activity Text Authorization
01 Create or generate Create consolidation process
02 Change Run consolidation process
The Start, Retry, Rollback, and Save buttons become active.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
03 Display Display consolidation process
06 Delete Delete consolidation process
The Delete button becomes active.
31 Confirm Continue consolidation process after a process step has been executed
● The Continue button becomes active.
● If the process pauses at a check point, the Continue button stays active only if
the activity 31 Confirm is permitted.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 471Activity Text Authorization
37 Accept Continue consolidation process after a matching step that still contains open
match groups
● The Continue button becomes active.
● If the process pauses at a check point and still open match groups exist, the
Continue button stays active only if the activity 37 Accept is permitted.
Caution
In addition, the activity 31 Confirm has to be permitted.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
13.11.5.1.2 MDC_PFILT
Use
This document describes details of the authorization object MDC_PFILT
To create a process you have to select a Source, which is a combination of Source System, Status, and an optional
Source Filter.
Features
The attribute Source Filter MDC_FILTER is assigned to the authorization object: Depending on the permitted value
the processes are displayed in the process list and the sources are displayed in the Sources dialog box during the
process creation.
13.11.5.1.3 MDC_MASS
Use
This document describes details of the authorization object MDC_MASS.
Security Guide for SAP S/4HANA 1709
472 P U B L I C SAP S/4HANA Business ApplicationsFeatures
The activities listed below are assigned to the authorization object.
Table 277:
Activity Text Authorization
01 Create or generate Create mass processes
02 Change Run mass processes
The Start, Retry, Rollback and Save buttons become active.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
03 Display Display mass processes
06 Delete Delete mass processes
The Delete button becomes active.
31 Confirm Continue or rollback mass processes after a process step has been executed.
The Continue button and the Rollback button become active.
Caution
If the process pauses at a check point, the Continue button and the Rollback but
ton stay active only if the activity 31 Confirm is permitted.
Note
Either the Start or the Continue button is displayed, depending on whether the
process has started or not.
36 Extended mainte Adjust configuration within the process UI for the current process
nance
The Adjust link is displayed.
13.11.5.1.4 MDC_ADMIN
Use
This document describes details of the authorization object MDC_ADMIN
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 473Features
The activities listed below are assigned to the authorization object.
Table 278:
Activity Text Authorization
02 Change Change process parameters in the process UI like:
● Adapter for a process step
● Adapter Configuration
● Check Point
● Data Sources: Selection on Create screen
● Delete Source Data or Keep Source Data: Selection on Create screen
06 Delete Delete processes with an inconsistent status - for example caused by a system er
ror - directly in the UI.
Note
As an alternative you can run the transaction MDC_ADMIN_DELETE in the back
end system to delete processes with an inconsistent status.
60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.
This report transforms customer and vendor data to business partner data during
the data import.
13.11.5.1.5 MDC_LOAD
Use
This document describes details of the authorization object MDC_LOAD
Features
The activities listed below are assigned to the authorization object.
Security Guide for SAP S/4HANA 1709
474 P U B L I C SAP S/4HANA Business ApplicationsTable 279:
Activity Text Authorization
02 Change Change process parameters in the process UI like:
● Adapter for a process step
● Adapter Configuration
● Check Point
06 Delete Delete processes with an inconsistent status - for example caused by a system er
ror - directly in the UI.
Note
As an alternative you can run the transaction MDC_ADMIN_DELETE in the back
end system to delete processes with an inconsistent status.
60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.
This report transforms customer and vendor data to business partner data during
the data import.
13.11.5.1.6 MDC_MASSBS
Use
This document describes details of the authorization object MDC_MASSBS
Features
The activities listed below are assigned to the authorization object.
Table 280:
Activity Text Authorization
02 Change Change process parameters in the process UI like:
● Adapter for a process step
● Adapter Configuration
● Check Point
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 475Activity Text Authorization
06 Delete Delete processes with an inconsistent status - for example caused by a system er
ror - directly in the UI.
Note
As an alternative you can run the transaction MDC_ADMIN_DELETE in the back
end system to delete processes with an inconsistent status.
60 Import Run the report MDC_BP_TRANSFORM_SOURCE_DATA.
This report transforms customer and vendor data to business partner data during
the data import.
13.11.5.2 Authorization Objects and Roles Used by SAP MDG,
Central Governance
Authorization Objects
The following authorization objects are used by all components of Master Data Governance.
Note
To obtain more detailed information about specific authorization objects proceed as follows:
1. Choose SAP Menu Tools ABAP Workbench Development Other Tools Authorization Objects
Objects (Transaction SU21).
2. Select the authorization object using and then choose .
3. On the Display authorization object dialog box choose Display Object Documentation.
Table 281:
Authorization Object Description
MDG_MDF_TR Master Data: Transport
MDG_IDM Key Mapping
USMD_CREQ Change Request
USMD_MDAT Master Data
USMD_MDATH Hierarchies
USMD_UI2 UI Configuration
Security Guide for SAP S/4HANA 1709
476 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
DRF_RECEIVE Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
CA_POWL Authorization for iViews for personal object worklists
BCV_SPANEL Execute Side Panel
BCV_USAGE Usage of Business Context Viewer
MDG_DEF Data Export
MDG_DIF Data Import
S_DMIS Authority object for SAP SLO Data migration server
Caution
For information about component specific authorization objects, see the corresponding sections:
● Master Data Governance for Business Partner (CA-MDG-APP-BP) [page 478]
● Master Data Governance for Supplier (CA-MDG-APP-SUP) [page 479]
● Master Data Governance for Customer (CA-MDG-APP-CUS) [page 481]
● Master Data Governance for Material (CA-MDG-APP-MM) [page 484]
● Master Data Governance for Financial (CA-MDG-APP-FIN) [page 487]
● Master Data Governance for Custom Objects (CA-MDG-COB) [page 488]
Standard Role
Table 282:
Role Name
SAP_MDG_ADMIN Master Data Governance Administrator
This role contains authorizations needed for administrative tasks and for setting up a base configuration in all
components of Master Data Governance. Some authorizations enable critical activities. If multiple users in your
organization are entrusted with the administration and configuration of Master Data Governance, we recommend
that you split the role into several roles, each with its own set of authorizations. The role does not contain the
authorizations for the respective master data transactions.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 477Enterprise Search
To use the Enterprise Search users have to be assigned to the role SAP_ESH_SEARCH Enterprise Search Hub
(Composite): Authorizations for searching.
13.11.5.2.1 Master Data Governance for Business Partner (CA-
MDG-APP-BP)
Use
Authorization Objects
Master Data Governance for Business Partner mainly uses the authorization objects of the business objects
Business Partner, the authorization objects of the Application Framework for Master Data Governance, and the
authorization objects of the Data Replication Framework.
Table 283:
Authorization Object Description
B_BUPA_GRP Business Partner: Authorization Groups
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
B_BUPA_RLT Business Partner: BP Roles
B_BUPR_BZT Business Partner Relationships: Relationship Categories
B_CCARD Payment Cards
BCV_QUILST Overview
DC_OBJECT Data Cleansing
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View
BCV_QUERY Query
BCV_QVWSNA Query View Snapshot
S_START Start Authorization Check for TADIR Objects
Security Guide for SAP S/4HANA 1709
478 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Roles
Table 284:
Role Name
SAP_MDGBP_MENU_04 Master Data Governance for Business Partner: Menu
SAP_MDGBP_DISP_04 Master Data Governance for Business Partner: Display
SAP_MDGBP_REQ_04 Master Data Governance for Business Partner: Requester
SAP_MDGBP_SPEC_04 Master Data Governance for Business Partner: Specialist
SAP_MDGBP_STEW_04 Master Data Governance for Business Partner: Data Steward
13.11.5.2.2 Master Data Governance for Supplier (CA-MDG-
APP-SUP)
Use
Authorization Objects
Master Data Governance for Supplier does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Vendor, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 479Table 285:
Authorization Object Description
B_BUPA_GRP Business Partner: Authorization Groups
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
B_BUPA_RLT Business Partner: BP Roles
B_BUPR_BZT Business Partner Relationships: Relationship Categories
DC_OBJECT Data Cleansing
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Account Authorization
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Account Group Authorization
M_LFM1_EKO Purchasing organization in supplier master data
BCV_PERS Personalize BCV UI for Query View
BCV_QRYVW Query View
BCV_QUERY Query
BCV_QUILST Overview
BCV_QVWSNA Query View Snapshot
S_START Start Authorization Check for TADIR Objects
S_PB_CHIP ABAP Page Builder: CHIP
S_PB_PAGE ABAP Page Builder: Page Configuration
C_DRAD_OBJ Create/Change/Display/Delete Object Link
Security Guide for SAP S/4HANA 1709
480 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
C_DRAW_DOK Authorization for document access
C_DRAW_STA Authorization for document status
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Roles
Table 286:
Role Name
SAP_MDGS_MENU_04 Master Data Governance for Supplier: Menu
SAP_MDGS_DISP_06 Master Data Governance for Supplier: Display
SAP_MDGS_REQ_06 Master Data Governance for Supplier: Requester
SAP_MDGS_SPEC_06 Master Data Governance for Supplier: Specialist
SAP_MDGS_STEW_04 Master Data Governance for Supplier: Data Steward
SAP_MDGS_VL_MENU_04 Master Data Governance for Supplier (ERP Vendor UI): Menu
SAP_MDGS_LVC_MENU_04 Master Data Governance for Supplier (Lean Request UI):
Menu
SAP_MDGS_LVC_REQ_04 Master Data Governance for Supplier (Lean Request UI): Re
quester
13.11.5.2.3 Master Data Governance for Customer (CA-MDG-
APP-CUS)
Use
Authorization Objects
Master Data Governance for Customer does not have dedicated authorization objects, but instead uses the
authorization objects of the business objects Business Partner and Customer, the authorization objects of the
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 481Application Framework for Master Data Governance, and the authorization objects of the Data Replication
Framework.
Note
Depending on whether you use the Master Data Governance for Customer on a hub system or on a client
systema different set of authorization objects is required.
Table 287:
Authorization Object Description Hub Client
Sys Sys
tem tem
B_BUPA_GRP Business Partner: Authorization x x
Groups
Note
This authorization object is optional. You need to assign this au
thorization object only if master data records are to be specifi
cally protected.
B_BUPA_RLT Business Partner: BP Roles x x
B_BUPR_BZT Business Partner Relationships: Rela x x
tionship Categories
B_CCARD Payment Cards x x
DC_OBJECT Data Cleansing x
F_KNA1_APP Customer: Application Authorization x x
F_KNA1_BED Customer: Account Authorization x x
Note
This authorization object is optional. You do not need to assign
this authorization object if no master records are to be specifi
cally protected.
F_KNA1_BUK Customer: Authorization for Com x x
pany Codes
F_KNA1_GEN Customer: Central Data x x
F_KNA1_GRP Customer: Account Group Authoriza x x
tion
MDGC_LCOPY Copy Customer Master Data from — x
MDG Hub
Security Guide for SAP S/4HANA 1709
482 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description Hub Client
Sys Sys
tem tem
V_KNA1_BRG Customer: Account Authorization for x x
Sales Areas
V_KNA1_VKO Customer: Authorization for Sales x x
Organizations
BCV_PERS Personalize BCV UI for Query View x x
BCV_QRYVW Query View x x
BCV_QUERY Query x x
BCV_QUILST Overview x x
BCV_QVWSNA Query View Snapshot x x
S_START Start Authorization Check for TADIR x x
Objects
S_PB_CHIP ABAP Page Builder: CHIP x x
S_PB_PAGE ABAP Page Builder: Page Configura x x
tion
C_DRAD_OBJ Create/Change/Display/Delete Ob x x
ject Link
C_DRAW_DOK Authorization for document access x x
C_DRAW_STA Authorization for document status x x
C_DRAW_TCD Authorization for document activities x x
C_DRAW_TCS Status-Dependent Authorizations for x x
Documents
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Roles
Table 288:
Role Name
SAP_MDGC_MENU_04 Master Data Governance for Customer: Menu
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 483Role Name
SAP_MDGC_DISP_05 Master Data Governance for Customer: Display
SAP_MDGC_REQ_05 Master Data Governance for Customer: Requester
SAP_MDGC_SPEC_05 Master Data Governance for Customer: Specialist
SAP_MDGC_STEW_04 Master Data Governance for Customer: Data Steward
SAP_MDGC_CL_MENU_04 Master Data Governance for Customer (ERP Customer UI):
Menu
SAP_MDGC_LCC_MENU_04 Master Data Governance for Customer (Lean Request UI):
Menu
SAP_MDGC_LCC_REQ_04 Master Data Governance for Customer (Lean Request UI): Re
quester
If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data
Model and define which entity types and attributes are authorization relevant.
13.11.5.2.4 Master Data Governance for Material (CA-MDG-
APP-MM)
Authorization Objects
Master Data Governance for Material does not have dedicated authorization objects, but instead uses, for
example, the authorization objects of the Material Master and the Application Framework for Master Data
Governance.
Table 289:
Authorization Object Description
K_TP_VALU Transfer Price Valuations
M_MATE_MAF Material Master: Material Locks
M_MATE_MAT Material Master: Material
M_MATE_MAR Material Master: Material Type
M_MATE_WGR Material Master: Material Group
M_MATE_STA Material Master: Maintenance Status
M_MATE_MTA Material Master: Change Material Type
Security Guide for SAP S/4HANA 1709
484 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
M_MATE_WRK Material Master: Plant
M_MATE_MAN Material Master: Central Data
M_MATE_NEU Material Master: Create
M_MATE_BUK Material Master: Company Codes
M_MATE_VKO Material Master: Sales Organization/Distribution Channel
M_MATE_LGN Material Master: Warehouse Numbers
C_KLAH_BKL Authorization for Classification
C_KLAH_BSE Authorization for Selection
C_TCLA_BKA Authorization for Class Types
C_DRAD_OBJ Create/Change/Display/Delete Object Link
C_DRAW_DOK Authorization for document access
C_DRAW_TCD Authorization for document activities
C_DRAW_TCS Status-Dependent Authorizations for Documents
C_DRAW_BGR Authorization for authorization groups
C_DRAW_STA Authorization for document status
C_FVER_WRK PP-PI: Production Version - Plant
DRF_RECEIV Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
PLM_SPUSR Superuser by Object Type
Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of SAP Net
Weaver Enterprise Search is created for the following En
terprise Search software components:
● PLMWUI
● Software components that include PLMWUI
C_AENR_BGR CC Change Master – Authorization Group
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 485Authorization Object Description
C_AENR_ERW CC Eng. Chg. Mgmt. Enhanced Authorization Check
C_AENR_RV1 CC Engineering change mgmt – revision level for material
BCV_QUILST Overview
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Roles
Table 290:
Role Name
SAP_MDGM_MENU_06 Master Data Governance for Material: Menu
SAP_MDGM_DISP_06 Master Data Governance for Material: Display
SAP_MDGM_REQ_06 Master Data Governance for Material: Requester
SAP_MDGM_SPEC_06 Master Data Governance for Material: Specialist
SAP_MDGM_STEW_06 Master Data Governance for Material: Data Steward
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
Security Guide for SAP S/4HANA 1709
486 P U B L I C SAP S/4HANA Business Applications13.11.5.2.5 Master Data Governance for Financials (CA-MDG-
APP-FIN)
Authorization Objects
Table 291:
Authorization Object Description
USMD_DIST Distribution
Note
This authorization object is used if you have not activated
business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
USMD_EDTN Edition
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Roles
Table 292:
Role Description
SAP_MDGF_ACC_DISP_07 Master Data Governance for Financials: Accounting Display
SAP_MDGF_ACC_REQ_07 Master Data Governance for Financials: Accounting Requester
SAP_MDGF_ACC_SPEC_07 Master Data Governance for Financials: Accounting Specialist
SAP_MDGF_ACC_STEW_04 Master Data Governance for Financials: Accounting Data
Steward
SAP_MDGF_CO_DISP_04 Master Data Governance for Financials: Controlling Display
SAP_MDGF_CO_REQ_06 Master Data Governance for Financials: Consolidation Re
quester
SAP_MDGF_CO_SPEC_04 Master Data Governance for Financials: Consolidation Spe
cialist
SAP_MDGF_CO_STEW_04 Master Data Governance for Financials: Consolidation Data
Steward
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 487Role Description
SAP_MDGF_CTR_DISP_04 Master Data Governance for Financials: Controlling Display
SAP_MDGF_CTR_REQ_06 Master Data Governance for Financials: Controlling Requester
SAP_MDGF_CTR_SPEC_04 Master Data Governance for Financials: Controlling Specialist
SAP_MDGF_CTR_STEW_04 Master Data Governance for Financials: Controlling Data
Steward
If you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
13.11.5.2.6 Master Data Governance for Custom Objects (CA-
MDG-COB)
Authorization Objects
You can use the following authorization objects for Master Data Governance for Custom Objects.
Table 293:
Authorization Object Description
USMD_DIST Replication
USMD_DM Data Model
USMD_EDTN Edition Type
Caution
Authorization objects used by all components of Master Data Governance are listed in the document
Authorization Objects and Roles Used by SAP MDG, Central Governance [page 476].
Standard Role
Table 294:
Role Name
SAP_MDGX_MENU_04 Master data governance for self-defined objects
SAP_MDGX_FND_SAMPLE_SF_05 Master Data Governance for Custom Objects - Flight Data
Model (MDG 8.0)
Security Guide for SAP S/4HANA 1709
488 P U B L I C SAP S/4HANA Business ApplicationsIf you want to restrict the authorizations for users or roles to specific values, run the Customizing activity under
Master Data Governance, Central Governance General Settings Data Modeling Define Authorization
Relevance per Entity Type and define which entity types and attributes are authorization relevant.
13.11.5.3 Authorization Objects and Roles Used by SAP MDG,
Master Data Quality
Authorization Objects
SAP MDG, master data quality uses the authorization objects listed below.
Table 295:
Authorization Object Description
MDQ_EVAL [page 489] Evaluation
MDQ_RULREP [page 490] Rule Repository
Caution
To use SAP MDG, master data quality in combination with the functions of SAP MDG, central governance, see
the required authorization objects in the documents listed below:
● Master Data Governance for Material (CA-MDG-APP-MM) [page 484]
Standard Roles
Table 296:
Frontend Launchpad Role Name
SAP_BR_PRODMASTER_STEWARD Master Data Steward - Product Data
SAP_BR_BPC_EXPERT Configuration Expert - Business Process Configuration
13.11.5.3.1 MDQ_EVAL
Use
This document describes details of the authorization object MDQ_EVAL.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 489Features
The activities listed below are assigned to the authorization object.
Table 297:
Activity Text Authorization
01 Create or generate Backend
Enables the creation of evaluation run information (for example by using import API)
Manage Imports
Enables the import of objects with errors
02 Change Backend
Allows updating evaluation run information
Worklist for Products
● Allows status changes for objects with errors
● Allows adding notes for objects with errors
03 Display Backend
Enables reading of evaluation data
Worklist for Products
● Restricts displaying the list of objects with errors
● Enables displaying the details of an evaluation run
● Defines the list of evaluation settings available in the value help
Manage Imports
● Defines the list of evaluation settings available in the value help
● Restricts the list of data imports shown to the end user
06 Delete Backend
Enables the deletion of evaluation data via report MDQ_DELETE_EVALUATION_DATA
13.11.5.3.2 MDQ_RULREP
Use
This document describes details of the authorization object MDQ_RULREP.
Security Guide for SAP S/4HANA 1709
490 P U B L I C SAP S/4HANA Business ApplicationsFeatures
The activities listed below are assigned to the authorization object.
Table 298:
Activity Text Authorization
01 Create or generate Backend
Enables the creation of rule data information
Manage Imports
Enables the import of rule data information
02 Change Backend
Allows updating rule data information
03 Display Manage Imports
● Defines the list of Rule Repositories available in the value help
● Restricts the list of data imports shown to the end user
13.11.5.4 Deletion of Personal Data in Master Data Governance
Use
For personal data processed in the Master Data Governance (MDG) application, you can use SAP Information
Lifecycle Management (ILM) to control the blocking and deletion of personal data. For more information, see the
product assistance for SAP S/4HANA on the SAP Help Portal under Product Assistance Cross Components
Data Protection .
Relevant Application Object
Table 299:
Application Provided Deletion Functionality
MDG Change Requests Archiving object USMD_CR
For more information about the application object, see the product assistance for SAP S/4HANA on the SAP Help
Portal under Product Assistance Cross Components Master Data Governance Data Protection in Master
Data Governance Data Archiving in Master Data Governance .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 491Configuration: Simplified Blocking and Deletion
● You configure the settings related to the blocking and deletion of business partner, customer, and supplier
master data in Customizing under Cross-Application Components Data Protection Deletion of Data
Deletion of Business Partner Data .
● For information on defining ILM rules, see the product assistance for SAP S/4HANA on the SAP Help Portal
under Product Assistance Cross Components SAP Information Lifecycle Management Using ILM
Retention Management in the Application System Editing ILM Policies Editing Retention Rules .
● For information on defining End of Purpose checks, see the product assistance for SAP S/4HANA on the SAP
Help Portal under Product Assistance Cross Components Data Protection Simplified Blocking and
Deletion End of Purpose (EoP) Check .
End of Purpose
Master Data Governance for Business Partner (MDG-BP), Master Data Governance for Supplier (MDG-S), and
Master Data Governance for Customer (MDG-C) are applications that are providing a workflow-based governance
process for business partners. Within this process, the applications MDG-BP, MDG-S, and MDG-C do not store
business partners permanently. In any case, MDG-BP, MDG-S, and MDG-C do not process business partners with
the end of purpose indicator assigned.
For Master Data Governance, consolidation and Master Data Governance, mass processing, we recommend to
use only business partner records that are not selected for End of Purpose (EoP).
The MDG, consolidation application and the MDG, mass processing application do not process business partners
with the end of purpose indicator assigned.
For MDG, consolidation, we recommend to delete source data after the end of the consolidation process.
Storage of Personal Data
All Master Data Governance applications store data only temporarily.
Changes to Personal Data
The system logs changes to personal data using change documents.
Read Access Logging for MDG
For information on read access logging, see Read Access Logging under Data Protection of this Security Guide.
Security Guide for SAP S/4HANA 1709
492 P U B L I C SAP S/4HANA Business ApplicationsEnhancements
● For Master Data Governance for Custom Objects, we do not recommended to enhance personal data in your
own objects. If it is necessary, you need to ensure to archive and delete enhanced data for the End of Purpose
(EoP) goal.
● For Master Data Governance, central governance, we recommend to use backend tables of SAP-BP for
enhancements and enhance the MDG data model accordingly. .
13.12 Country-Specific Authorizations
Business Roles
Business roles denote a role of a persona, for example, General Ledger Accountant, or Cash Specialist. They are
an aggregation of the applications relevant for a certain persona.
Business roles are technically represented by single roles. They exist on the front-end server and do not contain
authorizations. They serve demonstration purposes and trial use cases. You would typically create your own
business roles as single roles or composite roles in the transaction PFCG. Assigning the required back-end
authorizations is a separate step which is performed in the transaction in PFCG of the corresponding back-end
clients.
The following table shows the business roles used as template roles in the relevant countries:
Table 300:
Country Name Business Role (PFCG/BRT) Role Name
Argentina SAP_BR_GL_ACCOUNTANT_AR General Ledger Accountant for Argen
tina
SAP_BR_AR_ACCOUNTANT_AR Accounts Receivable Accountant for Ar
gentina
SAP_BR_AP_ACCOUNTANT_AR Accounts Payable Accountant for Argen
tina
Australia SAP_BR_AP_MANAGER_AU Accounts Payable Manager for Australia
SAP_BR_GL_ACCOUNTANT_AU General Ledger Accountant for Australia
Belgium SAP_BR_AP_MANAGER_BE Accounts Payable Manager for Belgium
SAP_BR_GL_ACCOUNTANT_BE General Ledger Accountant for Belgium
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 493Country Name Business Role (PFCG/BRT) Role Name
Brazil SAP_BR_AR_ACCOUNTANT_BR Accounts Receivable Accountant for
Brazil
SAP_BR_TREASURY_ACCOUNT Treasury Accountant for Brazil
ANT_BR
Bulgaria SAP_BR_AA_ACCOUNTANT_BG Asset Accountant for Bulgaria
SAP_BR_GL_ACCOUNTANT_BG General Ledger Accountant for Bulgaria
Canada SAP_BR_GL_ACCOUNTANT_CA General Ledger Accountant for Canada
Chile SAP_BR_AR_ACCOUNTANT_CL Accounts Receivable Accountant for
Chile
SAP_BR_AP_ACCOUNTANT_CL Accounts Payable Accountant for Chile
SAP_BR_GL_ACCOUNTANT_CL General Ledger Accountant for Chile
SAP_BR_AP_MANAGER_CL Accounts Payable Manager for Chile
China SAP_BR_AP_ACCOUNTANT_CN Accounts Payable Accountant for China
SAP_BR_GL_ACCOUNTANT_CN General Ledger Accountant for China
SAP_BR_AR_ACCOUNTANT_CN Accounts Receivable Accountant for
China
SAP_BR_CASH_SPECIALIST_CN Cash Management Specialist for China
SAP_BR_CASH_MANAGER_CN Cash Manager for China
SAP_BR_AP_ACCOUNT Accounts Payable Accountant – Pro
ANT_PROCMT_CN curement for China
Colombia SAP_BR_AP_ACCOUNTANT_CO Accounts Payable Accountant for Co
lombia
SAP_BR_AP_MANAGER_CO Accounts Payable Manager for Colombia
Croatia SAP_BR_GL_ACCOUNTANT_HR General Ledger Accountant for Croatia
SAP_BR_ACS_AUDITOR_HR Audit Specialist for Croatia
SAP_BR_AR_ACCOUNTANT_HR Accounts Receivable Accountant for
Croatia
Czech Republic SAP_BR_AR_ACCOUNTANT_CZ Accounts Receivable Accountant for
Czech Republic
Security Guide for SAP S/4HANA 1709
494 P U B L I C SAP S/4HANA Business ApplicationsCountry Name Business Role (PFCG/BRT) Role Name
SAP_BR_AP_ACCOUNTANT_CZ Accounts Payable Accountant for Czech
Republic
SAP_BR_GL_ACCOUNTANT_CZ General Ledger Accountant for Czech
Republic
Egypt SAP_BR_GL_ACCOUNTANT_EG General Ledger Accountant for Egypt
SAP_BR_AR_ACCOUNTANT_EG Accounts Receivable Accountant for
Egypt
SAP_BR_AP_ACCOUNTANT_EG Accounts Payable Accountant for Egypt
Estonia SAP_BR_CASH_SPECIALIST_EE Cash Management Specialist for Estonia
SAP_BR_GL_ACCOUNTANT_EE General Ledger Accountant for Estonia
France SAP_BR_AP_MANAGER_FR Accounts Payable Manager for France
SAP_BR_GL_ACCOUNTANT_FR General Ledger Accountant for France
SAP_BR_TREASURY_SPECIAL Treasury Specialist – Back Office for
IST_BOE_FR France
Greece SAP_BR_AA_ACCOUNTANT_GR Asset Accountant for Greece
SAP_BR_CASH_SPECIALIST_GR Cash Management Specialist for Greece
SAP_BR_AR_ACCOUNTANT_GR Accounts Receivable Accountant for
Greece
SAP_BR_GL_ACCOUNTANT_GR General Ledger Accountant for Greece
SAP_BR_ACS_AUDITOR_GR Audit Specialist for Greece
SAP_BR_INVENTORY_ACCOUNT Inventory Accountant for Greece
ANT_GR
SAP_BR_AP_ACCOUNTANT_GR Accounts Payable Accountant for
Greece
SAP_BR_BILLING_CLERK_GR Billing Clerk for Greece
Hungary SAP_BR_GL_ACCOUNTANT_HU General Ledger Accountant for Hungary
SAP_BR_CASH_SPECIALIST_HU Cash Management Specialist for Hun
gary
SAP_BR_TREASURY_SPECIAL Treasury Specialist – Back Office for
IST_BOE_HU Hungary
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 495Country Name Business Role (PFCG/BRT) Role Name
SAP_BR_TREASURY_ACCOUNT Treasury Accountant for Hungary
ANT_HU
India SAP_BR_AP_ACCOUNTANT_IN Accounts Payable Accountant for India
Ireland SAP_BR_AP_MANAGER_IE Accounts Payable Manager for Ireland
SAP_BR_AP_ACCOUNTANT_IE Accounts Payable Accountant for Ire
land
Italy SAP_BR_AA_ACCOUNTANT_IT Asset Accountant for Italy
SAP_BR_GL_ACCOUNTANT_IT General Ledger Accountant for Italy
Japan SAP_BR_AR_ACCOUNTANT_JP Accounts Receivable Accountant for Ja
pan
SAP_BR_AA_ACCOUNTANT_JP Asset Accountant for Japan
SAP_BR_AP_ACCOUNTANT_JP Accounts Payable Accountant for Japan
Kazakhstan SAP_BR_GL_ACCOUNTANT_KZ General Ledger Accountant for Kazakh
stan
SAP_BR_AR_ACCOUNTANT_KZ Accounts Receivable Accountant for Ka
zakhstan
SAP_BR_AP_ACCOUNTANT_KZ Accounts Payable Accountant for Ka
zakhstan
SAP_BR_AA_ACCOUNTANT_KZ Asset Accountant for Kazakhstan
SAP_BR_WAREHOUSE_CLERK_KZ Warehouse Clerk for Kazakhstan
Kuwait SAP_BR_AP_ACCOUNTANT_KW Accounts Payable Accountant for Kuwait
Latvia SAP_BR_CASH_SPECIALIST_LV Cash Management Specialist for Latvia
SAP_BR_GL_ACCOUNTANT_LV General Ledger Accountant for Latvia
Lithuania SAP_BR_AP_ACCOUNTANT_LT Accounts Payable Accountant for Lith
uania
Luxembourg SAP_BR_GL_ACCOUNTANT_LU General Ledger Accountant for Luxem
bourg
Malaysia SAP_BR_AP_MANAGER_MY Accounts Payable Manager for Malaysia
SAP_BR_GL_ACCOUNTANT_MY General Ledger Accountant for Malaysia
Security Guide for SAP S/4HANA 1709
496 P U B L I C SAP S/4HANA Business ApplicationsCountry Name Business Role (PFCG/BRT) Role Name
Mexico SAP_BR_GL_ACCOUNTANT_MX General Ledger Accountant for Mexico
Netherlands SAP_BR_GL_ACCOUNTANT_NL General Ledger Accountant for Nether
lands
Oman SAP_BR_AP_ACCOUNTANT_OM Accounts Payable Accountant for Oman
Peru SAP_BR_AR_ACCOUNTANT_PE Accounts Receivable Accountant for
Peru
SAP_BR_GL_ACCOUNTANT_PE General Ledger Accountant for Peru
SAP_BR_AP_MANAGER_PE Accounts Payable Manager for Peru
SAP_BR_CASH_MANAGER_PE Cash Manager for Peru
Philippines SAP_BR_AP_MANAGER_PH Accounts Payable Manager for Philip
pines
SAP_BR_GL_ACCOUNTANT_PH General Ledger Accountant for Philip
pines
SAP_BR_AR_ACCOUNTANT_PH Accounts Receivable Accountant for
Philippines
Poland SAP_BR_GL_ACCOUNTANT_PL General Ledger Accountant for Poland
SAP_BR_AA_ACCOUNTANT_PL Asset Accountant for Poland
SAP_BR_AP_ACCOUNTANT_PL Accounts Payable Accountant for Po
land
SAP_BR_AR_ACCOUNTANT_PL Accounts Receivable Accountant for Po
land
SAP_BR_CASH_SPECIALIST_PL Cash Management Specialist for Poland
Qatar SAP_BR_AR_ACCOUNTANT_QA Accounts Receivable Accountant for Qa
tar
SAP_BR_AP_ACCOUNTANT_QA Accounts Payable Accountant for Qatar
SAP_BR_GL_ACCOUNTANT_QA General Ledger Accountant for Qatar
Romania SAP_BR_GL_ACCOUNTANT_RO General Ledger Accountant for Romania
SAP_BR_AA_ACCOUNTANT_RO Asset Accountant for Romania
SAP_BR_CASH_SPECIALIST_RO Cash Management Specialist for Roma
nia
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 497Country Name Business Role (PFCG/BRT) Role Name
SAP_BR_AP_ACCOUNTANT_RO Accounts Payable Accountant for Roma
nia
Russia SAP_BR_AP_ACCOUNTANT_RU Accounts Payable Accountant for Rus
sian Federation
SAP_BR_AR_ACCOUNTANT_RU Accounts Receivable Accountant for
Russian Federation
SAP_BR_GL_ACCOUNTANT_RU General Ledger Accountant for Russian
Federation
SAP_BR_AA_ACCOUNTANT_RU Asset Accountant for Russian Federa
tion
SAP_BR_INVENTORY_ACCOUNT Inventory Accountant for Russian Feder
ANT_RU ation
SAP_BR_WAREHOUSE_CLERK_RU Warehouse Clerk for Russian Federation
Serbia SAP_BR_AA_ACCOUNTANT_RS Asset Accountant for Serbia
SAP_BR_GL_ACCOUNTANT_RS General Ledger Accountant for Serbia
SAP_BR_CASH_SPECIALIST_RS Cash Management Specialist for Serbia
SAP_BR_AR_ACCOUNTANT_RS Accounts Receivable Accountant for
Serbia
SAP_BR_AP_ACCOUNTANT_RS Accounts Payable Accountant for Serbia
Singapore SAP_BR_GL_ACCOUNTANT_SG General Ledger Accountant for Singa
pore
Slovakia SAP_BR_CASH_SPECIALIST_SK Cash Management Specialist for Slova
kia
SAP_BR_AR_ACCOUNTANT_SK Accounts Receivable Accountant for Slo
vakia
SAP_BR_AP_ACCOUNTANT_SK Accounts Payable Accountant for Slova
kia
Slovenia SAP_BR_GL_ACCOUNTANT_SI General Ledger Accountant for Slovenia
SAP_BR_AP_ACCOUNTANT_SI Accounts Payable Accountant for Slov
enia
Saudi Arabia SAP_BR_AP_ACCOUNTANT_SA Accounts Payable Accountant for Saudi
Arabia
Security Guide for SAP S/4HANA 1709
498 P U B L I C SAP S/4HANA Business ApplicationsCountry Name Business Role (PFCG/BRT) Role Name
SAP_BR_GL_ACCOUNTANT_SA General Ledger Accountant for Saudi
Arabia
South Korea SAP_BR_AR_ACCOUNTANT_KR Accounts Receivable Accountant for
South Korea
Taiwan SAP_BR_GL_ACCOUNTANT_TW General Ledger Accountant for Taiwan
Thailand SAP_BR_AR_ACCOUNTANT_TH Accounts Receivable Accountant for
Thailand
SAP_BR_GL_ACCOUNTANT_TH General Ledger Accountant for Thailand
SAP_BR_AA_ACCOUNTANT_TH Asset Accountant for Thailand
Turkey SAP_BR_AP_ACCOUNTANT_TR Accounts Payable Accountant for Tur
key
SAP_BR_GL_ACCOUNTANT_TR General Ledger Accountant for Turkey
Ukraine SAP_BR_AP_ACCOUNTANT_UA Accounts Payable Manager for Ukraine
SAP_BR_INVENTORY_ACCOUNT Inventory Accountant for Ukraine
ANT_UA
SAP_BR_AA_ACCOUNTANT_UA Asset Accountant for Ukraine
SAP_BR_AP_ACCOUNTANT_UA Accounts Payable Accountant for Uk
raine
SAP_BR_AR_ACCOUNTANT_UA Accounts Receivable Accountant for Uk
raine
SAP_BR_GL_ACCOUNTANT_UA General Ledger Accountant for Ukraine
United Arab Emirates SAP_BR_AP_ACCOUNTANT_AE Accounts Payable Accountant for United
Arab Emirates
SAP_BR_AR_ACCOUNTANT_AE Accounts Receivable Accountant for
United Arab Emirates
United Kingdom SAP_BR_AP_MANAGER_GB Accounts Payable Manager for United
Kingdom
SAP_BR_AP_ACCOUNTANT_GB Accounts Payable Accountant for United
Kingdom
SAP_BR_CASH_SPECIALIST_GB Cash Management Specialist for United
Kingdom
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 499Country Name Business Role (PFCG/BRT) Role Name
SAP_BR_GL_ACCOUNTANT_GB General Ledger Accountant for United
Kingdom
United States SAP_BR_AP_MANAGER_US Accounts Payable Manager for United
States
SAP_BR_TREASURY_SPECIAL Treasury Specialist – Back Office for
IST_BOE_US United States
Venezuela SAP_BR_GL_ACCOUNTANT_VE General Ledger Accountant for Vene
zuela
SAP_BR_AP_MANAGER_VE Accounts Payable Manager for Vene
zuela
13.13 Human Resources
13.13.1 User Management
Use
User management for Human Resources uses the mechanisms provided by SAP NetWeaver Application Server
(ABAP, Java, or ABAP and Java), for example, tools, user types, and password policies. See the sections below for
an overview of how these mechanisms apply to Human Resources. In addition, there is a list of the standard users
that are necessary for operating Human Resources.
User Administration Tools
The table below shows the tools for user management in Human Resources.
Table 301:
Tool Description
User and role maintenance with SAP NetWeaver AS for ABAP For more information, look for User Administration and Iden
(Transactions SU01 and PFCG) tity Management in ABAP Systems in the documentation of
SAP NetWeaver at http://help.sap.com/netweaver .
Security Guide for SAP S/4HANA 1709
500 P U B L I C SAP S/4HANA Business ApplicationsTool Description
User Management Engine of SAP NetWeaver AS for Java This tool is used for user management of HR portal roles
(business packages).
For more information, look for User Management Engine in the
documentation of SAP NetWeaver at http://help.sap.com/
netweaver .
User Types
It is often necessary to specify different security policies for different types of users. For example, it may be
necessary that individual users who perform tasks interactively have to change their passwords on a regular
basis, but not users who run background processing jobs.
The specific user types that are required for human resources include:
● Individual users
○ Admisnistrator
○ Personnel Administration
○ Benefits Administration
○ Manager
○ Personnel Administration
○ Benefits Administration
○ Compensation Administration
○ Training and Event Management
○ Specialists for
○ Personnel Administration
○ Talent Management
○ Benefits Administration
○ Compensation Administration
○ Training and Event Management
● Technical users
Technical users are required for the following business processes:
○ WF-BATCH user
If you want to use the workflow functions for the different Personnel Management functions, you must
create a WF-BATCH system user in the standard system.
○ Distribution of master data through ALE technology. For more information, see the documentation for the
report RHALEINI ( HR: ALE Distribution of HR Master Data).
○ Compensation Management (PA-CM): For the integration with the Award function, the technical user
requires authorization for the following functions:
○ Call RFC function module HRCM_RFC_LTI_ACCRUALDATA_GET ( Determine awards data for
accumulating accruals)
○ Read the Award infotype (0382), authorization object P_ORGIN
○ Budget Management (PA-PM)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 501○ You use background processing to create commitments in accounting with a RFC connection.
Depending on the process and the system landscape used, it may be necessary to set up a user for
the background processing. You can use your own user (an additional logon is required) or set up a
special commitment engine user.
For more information about these user types, see the Security Guide for SAP NetWeaver Application Server ABAP
under http://help.sap.com/netweaver .
13.13.2 Authorizations
The authorizations topic plays a fundamental role in the area of Human Resources since access to personnel data
must be carefully protected. In SAP Human Resources, there is a two-part concept for setting up authorizations.
You should familiarize yourself with this concept if you use Human Resources components.
Human Resources uses the authorization concept provided by SAP NetWeaver Application Server. Therefore, the
security recommendations and guidelines for authorizations detailed in the Security Guide for SAP NetWeaver AS
ABAP and in the Security Guide for SAP NetWeaver AS Java also apply to Human Resources.
Note
Furthermore, Human Resources has specific structural authorizations for which the organizational
assignment is checked to see whether a user may perform an activity.
For detailed information about authorizations in Human Resources, see SAP Library for SAP S/4HANA Human
Resources and the section Authorizations for Human Resources.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based
on roles. For role maintenance, use the profile generator (transaction PFCG) on the SAP NetWeaver AS ABAP.
Standard Roles
The table below shows the standard roles that are used by the Personnel Management components listed under
“Description”.
Note
The standard roles for Human Resources components that are described in a separate chapter of this Security
Guide are also in the “Authorizations” section. The same applies to the self-service components Employee Self-
Service [page 556] and Manager Self-Service [page 571] that are also described under Cross-Application
Components Self-Services in this Security Guide.
Table 302: Standard Roles
Role Description
SAP_HR_BN* Roles for the PA-BN (Benefits) component
Security Guide for SAP S/4HANA 1709
502 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_HR_CM* Roles for the PA-CM (Compensation Management) compo
nent
SAP_HR_CP* Roles for the PA-CM-CP (Personnel Cost Planning) compo
nent
SAP_HR_OS* Roles for the PA-OS (Organizational Structure) component
SAP_HR_PA_xx_* Roles for the international versions and country versions of
the PA-PA (Personnel Administration) component
SAP_HR_PA_PF_xx_* Roles for the PA-PF (Pension Schemes) component
SAP_HR_PD* Roles for the PA-PD (Personnel Development) component
SAP_HR_RC* Roles for the PA-RC (Recruitment) component
SAP_HR_REPORTING Role for the Human Resources Analyst
Note
This role is obsolete. We recommend that you no longer
use this role.
SAP_ASR_ADMINISTRATOR Enhancement of the role SAP_HR_PA_xx_* for the HR admin
istrators that use the functions of the component PA-AS (HR
Administrative Services)
For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with xx, where
xx represents the SAP country key, various roles exist for each of the country versions.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by Human Resources.
Note
For more information about the authorization objects for Human Resources, see http://help.sap.com/
s4hana_op_1709 under Product Assistance Enterprise Business Applications Human Resources HR
Tools Authorizations for Human Resources Technical Aspects Authorization Objects .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 503Table 303: Most Important Standard Authorization Objects
Authorization Object Name Description
P_ORGIN HR master data Used to check the authorization for ac
cessing HR infotypes. The checks take
place when HR infotypes are edited or
read.
P_ORGINCON HR master data with context This authorization object consists of the
same fields as the authorization object
P_ORGIN, and also includes the field
PROFL (structural profile). A check using
this object enables user-specific con
texts to be mapped in HR master data.
P_ORGXX HR master data – extended check You can use this object to determine
that other fields are also to be checked.
You can determine whether this check is
to be performed in addition to or as an
alternative to the HR Master Data au
thorization check.
P_P_ORGXXCON HR master data - extended check with This authorization object consists of the
context same fields as the authorization object
P_ORGXX, and also includes the field
PROFL (structural profile). A check using
this object enables user-specific con
texts to be mapped in HR master data
P_TCODE HR: Transaction Code This authorization object checks some
specific SAP Human Resources transac
tions.
PLOG Personnel planning Determines for which types of informa
tion processing a user has authorization.
PLOG_CON Personnel planning with context This authorization object consists of the
same fields as the object PLOG, and also
includes the field PROFL (structural pro
file). The check using this object enables
user-specific contexts to be mapped.
Security Guide for SAP S/4HANA 1709
504 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Name Description
P_ASRCONT Authorization for process content The Authorization for Process Content
object is used by the authorization check
for HR Administrative Services. It checks
the authorization for access to various
process contents and also runs through
the authorization objects that you have
specified in Customizing in the table
T77S0 (see note below). For more infor
mation, see http://help.sap.com/
s4hana_op_1709 under Product
Assistance Enterprise Business
Applications Human Resources
Shared Services HR Administrative
Services (PA-AS) HCM Processes and
Forms and section Authorization Con
cept of HCM Processes and Forms.
P_DEL_PERN Deletion of personnel numbers in live This authorization object is used in the
systems report RPUDELPP and facilitates the de
letion of personnel numbers in live sys
tems. It is used by two roles, one for re
questing the deletion and one for per
forming the deletion. These roles need to
be assigned to two different users (dou
ble verification principle).
P_EICAU Authorization for activity in the Em This authorization object checks the au
ployee Interaction Center thorization for editing EIC activities. For
more information, see http://
help.sap.com/s4hana_op_1709 under
Product Assistance Enterprise
Business Applications Human
Resources Shared Services
Employee Interaction Center (EIC)
General Settings and section Authori
zation Concept for Employee Interaction
Center (EIC).
Note
In Customizing for certain authorization objects, you can specify whether they are to be checked. The table
T77S0 in the Group for Semantic Short Text for PD Plan AUTSW groups all central switches and settings for the
Human Resources authorization check. Note that changes to the settings severely affect your authorization
concept.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 505For more information about changing the main authorization switch, see Customizing for Personnel
Administration and choose Tools Authorization Management .
13.13.3 Security-Relevant Logging and Tracing
Change documents are created for the infotypes of SAP Human Resources, on the basis of which you can trace
changes to infotype data. For more information, see http://help.sap.com/s4hana_op_1709 under Product
Assistance Enterprise Business Applications Human Resources HR Tools in the following sections:
● Creating Change Documents for Personnel Administration Infotypes
● Creation of Change Documents for Personnel Planning Infotypes
13.13.4 Core HR and Payroll
13.13.4.1 Core HR
About This Chapter
This section of the Security Guide provides an overview of security-relevant information for Core HR.
Overview of the Main Sections of This Chapter
The following sections contain the security-relevant information that is specific to Personnel Management:
● Important SAP Notes
This section lists the most important SAP Notes for the security of Personnel Management.
● Authorizations
This section provides an overview of the authorization concept used for Personnel Management.
● Communication Channel Security
This section provides an overview of the communication paths used by Personnel Management and provides
information on how you can best protect them.
● Communication Destinations
This section provides an overview of the communication destination for the components of Personnel
Management and the country-specific components of Personnel Administration.
● Data Storage Security
This section provides an overview of the critical data used by Personnel Management, as well as the security
mechanisms used.
● Security for Additional Applications
Security Guide for SAP S/4HANA 1709
506 P U B L I C SAP S/4HANA Business ApplicationsThis section contains information about temporary sequential (TemSe) data storage, which only temporarily
stores data from country-specific reports from Personnel Administration.
● Other Security-Relevant Information
This section contains information about security-relevant Customizing for infotype records and indicates the
reports that perform database statistics and consistency checks without checking the user''s authorizations.
● Chapter with the security-relevant information for the component HCM Processes and Forms
13.13.4.1.1 Authorizations
Use
The Personnel Management components use the two-part authorization concept from SAP Human Resources.
For more information, see section Authorizations in the S/4HANA Security Guide forHuman Resources section.
Standard Roles
The table below shows the standard roles that are used by the Personnel Management components.
Table 304:
Role Description
SAP_HR_OS* Roles for the PA-OS (Organizational Structure) component
SAP_HR_PA_xx_* Roles for the international versions and country versions of
the component PA-PA (Personnel Administration)
Note
For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with “xx”,
where “xx” represents the SAP country key, various roles exist for each of the country versions.
Standard Authorization Objects
The Personnel Management components use the standard authorization objects from SAP Human Resources.
For more information about the authorization objects for Human Resources, see SAP Library for S/4HANA on
SAP Help Portal at Human Resources HR Tools Authorizations for Human Resources Technical Aspects
Authorization Objects .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 50713.13.4.1.2 Communication Channel Security
Use
The table below shows the communication channels used by Personnel Management , the protocol used for the
connection, and the type of data transferred.
Table 305:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Interface Toolbox (Transac ALE Master data, Benefits data,
tion PU12) Organizational data as de
fined by the user
SAP BW Extractor Program Master data, Organizational
data, Personnel Development
data
SAP CO RFC Cost centers, orders, and so Authorizations for CO objects
on are required here
(for distributed systems)
External Files ASCII Personnel Administration data Applicable only for country
versions Australia and New
Zealand
MS Word Report Interface with SAP Office Integration
NetWeaver
Connection with PDF-based HTTP(S) Person-related data (for ex
print forms for archiving ample, employee photo)
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Note
If you convert the protocol from HTTP to HTTPS and use PDF-based print forms, see SAP Note 1461447.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .
13.13.4.1.3 Communication Destinations
Use
Specific communication destinations are available for the Personnel Management components and Personnel
Administration country-specific components.
Security Guide for SAP S/4HANA 1709
508 P U B L I C SAP S/4HANA Business ApplicationsFeatures
The function group HRPDV_SERVICES contains the following Remote Function Calls (RFCs) for displaying and
updating the position attributes. The communication user requires authorization for the authorization object
S_RFC to execute Remote Function Calls.
Table 306:
Function Group Function Module Description
HRPDV_SERVICES HRPDV_GET_ROOT_OBJECT Gets the root object for the user
HRPDV_ORG_PATHROOTS Root object specification
HRPDV_CREATE_POSITION Creates a new position in the organiza
tional unit
HRPDV_GET_POSITION_ATTR Gets the corresponding position attrib
utes
HRPDV_UPDATE_POSITION_ATTR Updates the corresponding position at
tributes
HRPDV_COPY_POSITION Copies an existing position and the cor
responding attributes several times
HRPDV_DELIMIT_POSITION Delimits an existing position
HRPDV_POSITION_SEARCH Enables a search for positions based on
Object and Data Provider (OADP)
HRPDV_GET_TIME_CONSTRAINTS Gets the time constraints information of
the corresponding position infotypes
and relationships
HRPDV_TRANSFER_EMPLOYEE Enables the conversion of an employee
from one position to another or creates
an additional personnel assignment for
the employee
HRPDV_GET_POSITION_F4_HELPS Returns the input help values for the in
fotype fields Account Assignment and
Employee Subgroup
Benefits (PA-BN)
When evaluating retirement benefits for employees, service-related data is sent to an external system using
IDocs. The Benefits system places the IDocs in a special port. External systems can collect the IDocs from this
port. The external systems evaluate the retirement benefits based on the transferred data and then send them
with an inbound IDoc back to the SAP system.
There are no special functions from the Benefits system side to protect this data.
Compensation Management (PA-CM)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 509The self-service scenario Salary Benchmarking (HRCMP0053) exchanges data with external benchmarking
providers. You communicate synchronously and online using HTTPS protocol (HyperText Transfer Protocol with
SSL).
Personnel Administration
● HR Administrative Services
HR Administrative Services can transfer personal data from SAP E-Recruiting and return data to SAP E-
Recruiting . For more information, see the Security Guide for SAP E-Recruiting under Communication
Destinations .
● Pension Fund (PA-PF)
○ You can create files with SAP List Viewer (ALV) and TemSe ( Temporary Sequential Objects ).
○ There is no encryption of data in the standard SAP system.
13.13.4.1.4 Data Storage Security
The infotypes in Personnel Management contain particularly sensitive data. This data is protected by central
authorization objects.
Note
For more information about authorization objects, see section Authorizations in the S/4HANA security guide
for Human Resources.
Examples of infotypes containing particularly sensitive data:
● International infotypes for Personnel Administration (PA-PA)
○ Personal Data (0002)
○ Basic Pay (0008)
○ Bank Details (0009)
○ Family Member/Dependents (0021)
● Personnel Development (PA-PD)
○ Qualifications
○ Appraisals
● Personnel Cost Planning and Simulation (PA-CP)
○ Planning of Personnel Costs (0666), contains salary-based information
● Management of Global Employees (PA-GE)
○ Compensation Package Offer (0706)
Security Guide for SAP S/4HANA 1709
510 P U B L I C SAP S/4HANA Business ApplicationsOther sensitive Personnel Management data
● Budget Management
The Budget Management component accesses the salary data of employees and displays data from the
Controlling (CO) and Funds Management (FI-FM) components. The standard authorization concept for
Human Resources , Controlling , and Funds Management is used for these processes. The following
authorization objects are also available to protect the data:
○ P_ENCTYPE ( HR: PBC - Financing ): Determines which funds reservation types a user can access and
which activities the user is allowed to perform.
○ P_ENGINE ( HR: Authorization for Automatic Commitment Creation ): Determines which activities a user is
allowed to perform when creating commitments.
● Pension Fund (PA-PF)
Access to salary data, pensions, and benefits entitlements is protected by the following authorization objects:
○ P_ORIGIN ( HR: Master Data )
○ P_CH_CK ( HR-CH: Pension Fund: Account Access )
○ P_NL_PKEV( Bevoegdheidsobject voor PF-gebeurtenissen )
● Personnel Cost Planning (PA-CM-CPand PA-CP)
The old Personnel Cost Planning (PA-CM-CP) and the new Personnel Cost Planning and Simulation (PA-CP)
components both save salary-relevant information to the clusters of the database PCL5. You can control
access rights using the authorization object P_TCODE ( HR: Transaction Code ).
● Employee Interaction Center (PA-EIC)
The EIC Authentication infotype (0816) enables question and response pairs to be saved that an agent of
Employee Interaction Center then uses to identify a calling employee. You can only maintain the infotype with
the Authentication for EIC Employee Self-Service.
● HR Administrative Services (PA-AS)
The personnel file and all process instances are saved with intermediate statuses and history to the Case
Management databases.
13.13.4.1.5 Security for Additional Applications
Personnel Administration country-specific components use several reports that store security-relevant and
sensitive data. This data includes employee data relating to salary, tax, social insurance, pension contributions,
and garnishments.
The data is stored in temporary sequential (TemSe) files and used when printing legal forms, statistics, and
business reports. Access to TemSe is controlled by the authorization object S_TMS_ACT. Data encryption is not
necessary here. For a list of all reports and programs using TemSe, see the Personnel Administration
documentation for your country version.
You can also download data directly from the front-end server (for example, PC/terminal) or application server
without first storing the data records in the TemSe. To do so, you copy the data to a data carrier that you can then
send to the authorities.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 51113.13.4.1.6 Other Security-Relevant Information
Use
Other security-relevant Customizing for infotype records
With the field Access Auth. (Access Authorization) in table V_T582A ( Infotype attributes (Customizing) ), you can
control access to an infotype record depending on whether the record belongs to the area of responsibility of a
person responsible on the current date. For more information, see Customizing for Personnel Management under
Personnel Administration Customizing Procedures Infotypes Infotypes . Note in particular the help for
the Access Authorization field.
Technical utilities without integrated authorization check
The following technical utilities read data without the user''s authorizations being checked. You should therefore
only assign relevant report authorizations to roles containing system administrator functions.
● Reports with the prefix RHDBST*: Database statistics
● Reports with the prefix RHCHECK*: Consistency checks for Organizational Management and Personnel
Development data.
If required, you can use the following reports (developed for SAP internal use) for testing purposes. However, SAP
does not accept any responsibility for these reports:
● Report RPCHKCONSISTENCY: ( Consistency check for HR master data )
● Report RPUSCNTC ( Find Inconsistencies in Time Constraints )
13.13.4.1.7 HCM Processes and Forms
About this Document
This chapter provides an overview of the security-relevant information that applies to HCM Processes and Forms
(PA-AS).
Overview of the Main Sections of This Chapter
The HCM Processes and Forms chapter comprises the following sections:
● Before You Start
This section contains references to other Security Guides that build the foundation for the HCM Processes
and Forms chapter and a list of the most important SAP Notes for HCM Processes and Forms regarding
security.
Security Guide for SAP S/4HANA 1709
512 P U B L I C SAP S/4HANA Business Applications● Authorizations
This section provides an overview of the authorization concept that applies to HCM Processes and Forms.
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
HCM Processes and Forms.
● Security for Additional Applications
This section provides information on a Business Add-In (BAdI) that can be used for the attachment handling
of HCM Processes and Forms.
● Other Security-Relevant Information
This section provides information on the possibility of protecting the Customizing views of HR Administrative
Services by a using a grouping option for the authorization check to prevent users without authorization from
maintaining person-related data.
13.13.4.1.7.1 Authorizations
Use
HCM Processes and Forms uses the authorization concept provided by the SAP NetWeaver AS for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply to HCM Processes and Forms.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see section Role Administration in the SAP Library for S/
4HANA Identity Management.
Role and Authorization Concept for HCM Processes and Forms
The authorization concept for HCM Processes and Forms is described under the section Authorization Concept of
HCM Processes and Forms in the SAP Library for S/4HANA HCM Processes and Forms.
Standard Roles
The table below shows the standard roles that are used for HCM Processes and Forms authorizations.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 513Table 307: Standard Roles for HCM Processes and Forms
Role Name Description
SAP_ASR_HRADMIN_SR_HCM_CI_3 HR Administrator: NWBC Role This single role contains the authoriza
tions for the HR Administrator role.
SAP_ASR_EMPLOYEE_SR_HCM_CI_3 ESS Single Role for HCM PF Services This single role contains the authoriza
tions for the Employee role in Employee
Self-Service (WDA).
SAP_ASR_EMPLOYEE HR Administrative Services : Employee This single role contains the authoriza
tions for the Employee role in the
Business Package for Employee Self-
Service (up to and including 1.4.1).
SAP_ASR_MANAGER HR Administrative Services : Manager This single role contains the authoriza
tions for the Manager role.
Note
The Employee and Manager roles use HCM Processes and Forms. For security-relevant information regarding
these components, see the sections Employee Self Service and Manager Self Service under Self Services in the
S/4 HANA Security Guide.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by HCM Processes and Forms:
Table 308:
Authorization Object Name Comment
S_RFC Authorization Check for RFC Access
S_SCMG_CAS Case Management: Case These authorization objects manage ac
cess to the Process Object of HCM
S_SCMG_FLN Case Management: Authorization by Processes and Forms.
Field
S_SRMGS_CT Records Management: Authorizations These authorization objects manage ac
for Document Content cess to the digital Personnel File in the
HR Administrator Role.
S_SRMGS_DC Records Management: Authorization for
Documents
S_SRMGS_PR Records Management: Authorizations
for Attributes
Security Guide for SAP S/4HANA 1709
514 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Name Comment
S_SRMSY_CL SAP Records Management : General Au
thorization Object
S_TCODE Transaction Code Check at Transaction
Start
P_ASRCONT Authorization for Process Content This authorization object manages the
rights to start and execute processes
with HCM Processes and Forms.
13.13.4.1.7.2 Internet Communication Framework Security
Use
You should only activate those services that are needed for the applications running in your system. For HCM
Processes and Forms, the following services are needed which you can find under the path
default_host/sap/bc/webdynpro/sap/:
● asr_form_display
● asr_keyword_search
● asr_launchpad
● asr_mass_start_process
● asr_OBJECT_SEARCH
● asr_pa_pd_processes_display
● ars_personnel_file
● asr_processes_display
● ASR_PROCESS_EXECUTE_FPM
● asr_process_select
● ars_profiles_show
● asr_srch_pd_process
Activities
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 515More Information
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library documentation.
13.13.4.1.7.3 Security for Additional Applications
For the uploading of attachments in HCM Processes and Forms you can use Business Add-In (BAdI)
HRASR00ATTACHMENT_HANDLING for defining the file types allowed and the maximum size of attachments. For
more information, see the BAdI documentation in the S/4HANA system.
13.13.4.1.7.4 Other Security-Relevant Information
Authorizations for the Implementation Guide for HR Administrative Services
The views in the Implementation Guide for HR Administrative Services are protected separately by a grouping for
the authorization check to prevent users without authorization maintaining person-related data. Under the field
name DICBERCLS ( Authorization Group), you can set the following in the authorization object S_TABU_DIS:
● Switch PASC: Authorization check for all views of HR Administrative Services in which no Customizing settings
were made that affect authorization checks for the users of HR Administrative Services.
● Switch PASA: Additional authorization check for the views that may affect the authorization check for users of
HR Administrative Services.
13.13.4.1.8 Personnel & Organization
About This Chapter
This chapter of the Security Guide provides an overview of the security-relevant information for Personnel &
Organization (PA-PAO).
Role and Authorization Concept for Personnel & Organization
The Personnel & Organization component uses the following authorization concepts:
● SAP NetWeaver authorization concept (based on assigning authorizations to users based on roles)
For this purpose, the roles mentioned in section Standard Roles are available as a template. You can copy the
standard roles to the customer name space and adjust them to suit your requirements. You use the profile
generator (transaction PFCG) to maintain roles.
● Structural Authorizations (HCM-specific authorization concept)
Security Guide for SAP S/4HANA 1709
516 P U B L I C SAP S/4HANA Business ApplicationsYou configure structural authorizations in Customizing for Personnel & Organization by choosing the following
path: Security Authorizations Structural Authorizations .
For more information about the structural authorization check, see Structural Authorization Check (in SAP
Library for S/4HANA under Human Resources HR Tools Authorizations for Human Resources ).
Standard Roles
The following standard single roles are available for the Personnel & Organization component: Single Roles for
Personnel & Organization.
Gateway Information
For information on security information for Gateway, please see:
Security Settings in the SAP Gateway
The SAP Gateway Foundation Security Guide available via http://help.sap.com//nw74 Security Information
Security Guide and search for the document SAP NetWeaver Gateway Foundation Security Guide.
13.13.4.2 Payroll (PY)
About This Chapter
This section of the Security Guide provides an overview of security-relevant information for Payroll (PY).
Overview of the Main Sections of This Chapter
The chapter “Payroll” comprises the following main sections:
● Important SAP Notes
This section lists the most important SAP Notes with regard to the security of Payroll.
● User Management
This section provides an overview of the user types required for Payroll.
● Authorizations
This section provides an overview of the authorization concept used for Payroll.
Note also the section Authorizations for Human Resources overall.
● Communication Channel Security
This section provides an overview of the communication paths used by Payroll.
● Data Storage Security
This section provides an overview of the critical data used by Payroll, as well as the security mechanisms
used.
● Security for Third-Party Applications or Additional Applications
This section contains security information that applies for additional applications that are used together with
Payroll (for example, the Interface Toolbox or B2A: Communication with Authorities).
● Country-Specific Features
This section contains additional security-relevant information for some country versions.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 517Note
The information in the chapter “Payroll (PY)” applies for all country versions of Payroll. The country-
specific sections only contain additional country-specific information, if any exists.
13.13.4.2.1 Important SAP Notes
The following table lists the most important SAP Notes with regard to the security of Payroll.
Table 309:
Title SAP Note Comment
Analyzing HR authorizations 902000 Contains general information about au
thorizations in the attachments
Q&A: How to customize Payroll Account 116523 Explains that the display authorizations
ing postings in Rel.4.x for posting to Accounting are controlled
using the report authorizations (that is,
there are no table authorizations)
13.13.4.2.2 User Management
Definition
User management for Payroll uses the mechanisms provided by the SAP Web Application Server ( ABAP), for
example, tools, user types, and password policies. For an overview of how these mechanisms apply for Payroll ,
see the sections below. In addition, there is a list of the standard users that are necessary for operating Payroll .
User Management Tools
The table below shows the tools to use for user management with Payroll .
Table 310: User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction You can use the Role Maintenance trans
PFCG) action PFCG to generate profiles for your
Payroll users.
Security Guide for SAP S/4HANA 1709
518 P U B L I C SAP S/4HANA Business ApplicationsUser Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
The user types required for Payroll include:
● Individual users
○ Administration user
○ Payroll manager
○ Payroll specialist
● Technical users
○ Payroll procedure administrator
○ ALE user for posting payroll results to Accounting
For more information about these user types, see the SAP Web AS ABAP Security Guide under User Types.
13.13.4.2.3 Authorizations
Role Concept and Authorization Concept for Payroll
Payroll uses the authorization concept provided by SAP NetWeaver Application Server for ABAP, which is based
on the assignment of authorizations to users using roles.
The roles named as “standard roles” are available as templates. You can copy the standard roles into the
customer-specific namespace and adjust them to suit your requirements. To maintain roles, you use the Profile
Generator (transaction PFCG).
Standard Roles
The following table shows examples of standard roles that are used by the Payroll component.
Table 311: Standard Roles
Role Description
SAP_HR_PY_xx_PAYROLL-ADM Payroll administrator
SAP_HR_PY_xx_PAYROLL-MANAGER Payroll manager
SAP_HR_PY_xx_PAYROLL-PROC-ADM Payroll procedure administrator
SAP_HR_PY_xx_PAYROLL-SPEC Payroll specialist
SAP_HR_PY_xx_* Roles for mapping country-specific tasks within Payroll
SAP_HR_PY_PAYROLL-LOAN-ADM Loan accounting administrator
xx stands for the country key. For the roles marked with an asterisk (*), additional roles exist for each of the
countries.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 519Standard Authorization Objects
Payroll uses the authorization objects that are usually available for Human Resources. For more information, see
Authorizations .
The following table shows the security-relevant authorization objects that are also used by Payroll .
Table 312: Standard Authorization Objects
Authorization Objects Name Description Additional Information
P_PBSPWE Process Workbench Engine Authorizations for the Proc
(PWE) authorization ess Workbench Engine(PWE)
P_PCLX HR: Cluster Check when accessing HR SAP Library for S/4HANA un
files on the PCLx (x = 1, 2, 3, der Authorizations for
4) databases
Human Resources
Technical Aspects
Authorization Objects
P_PCLX (HR: Cluster)
P_PCR HR: Personnel control record Authorization check for the SAP Library for S/4HANA un
personnel control record der Authorizations for
(transaction PA03)
Human Resources
Technical Aspects
Authorization Objects
P_PCR (HR: Personnel Control
Record)
P_PE01 HR: Authorization for person Authorization check for per SAP Library for S/4HANA un
nel calculation schemes sonnel calculation schemes der Authorizations for
Human Resources
Technical Aspects
Authorization Objects
P_PE01 (HR: Authorization for
Personnel Calculation
Schemas)
P_PE02 HR: Authorization for person Authorization check for per SAP Library for S/4HANA un
nel calculation rule sonnel calculation rules der Authorizations for
Human Resources
Technical Aspects
Authorization Objects
P_PE02 (HR: Authorization for
Personnel Calculation Rule)
Security Guide for SAP S/4HANA 1709
520 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Objects Name Description Additional Information
P_PYEVDOC HR: Posting document Protection of actions on pay SAP Library for S/4HANA un
roll posting documents der Authorizations for
Human Resources
Technical Aspects
Authorization Objects
P_PYEVDOC (HR: Posting
Document)
P_PYEVRUN HR: Posting run Control of actions that are SAP Library for S/4HANA un
possible for posting runs der Authorizations for
Human Resources
Technical Aspects
Authorization Objects
P_PYEVRUN (HR: Posting
Run)
P_OCWBENCH HR: Activities in the Off-Cycle Used for the authorization SAP Library for S/4HANA un
Workbench check in the Off-Cycle Work der Authorizations for
bench.
Human Resources
Technical Aspects
Authorization Objects
P_OCWBENCH (HR: Activities
in the Off-Cycle
Workbench)
S_TMS_ACT Actions on TemSe objects The authorization determines SAP Library for S/4HANA un
who may execute which oper der Authorizations for
ations on which TemSe ob
Human Resources
jects
Technical Aspects
Authorization Objects
S_TMS_ACT (TemSe: Actions
on TemSe Objects)
For documentation about authorization objects, see SAP Library for S/4HANA and choose Human Resources
HR Tools Authorizations for Human Resources Technical Aspects Authorization Objects .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 521Authorizations for Posting Data to Accounting
The authorization check for posting data to Accounting is performed using report authorizations. This means that
the different level of detail of the data comes from calling different reports and can be restricted using
corresponding report authorizations.
When posting data to Accounting, the following authorization checks are made:
● Report RPCIPA00
○ Authorization object S_Program, based on report RPCIPA00
○ Authorization object P_PYEVRUN, based on:
○ Run type PP
○ Run information (simulation, productive)
○ Activity (display)
● Report RPCIPS00
○ Authorization object S_Program, based on report RPCIPS00
○ Authorization object P_PYEVDOC, based on:
○ Company code of document
○ Activity (display of contents of posting document)
● Report RPCIPD00
○ Authorization object S_Program, based on report RPCIPD00
○ Authorization object P_PYEVDOC, based on:
○ Company code of document
○ Activity (display of detailed posting information with data related to personnel number)
For more information, see SAP Note 1235291.
13.13.4.2.4 Communication Channel Security
Use
The table below shows the communication channels used by Payroll , the protocol used for the connection, and
the type of data transferred.
Table 313: Communication Paths
Communication Paths Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Interface Toolbox (Transac ALE, local files Determined by the user Salary data, HR master data
tion PU12)
Display posting runs (transac ALE Data for cost accounting Salary data (accumulated in
tion PCP0) part)
Display documents from Ac ALE Documents from Accounting
counting
Security Guide for SAP S/4HANA 1709
522 P U B L I C SAP S/4HANA Business ApplicationsCommunication Paths Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Data medium files (creation in Local files Files for transfer of bank Salary data
Accounting) transfers to the banks
Display original document for RFC Documents from Accounting Additional salary data from
an external wage component external systems
in infotype External Wage
Components (0579)
RFC connections can be protected using Secure Network Communications (SNC). For more information, see the
SAP NetWeaver Security Guide under Transport Layer Security.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
In addition, there is also an authorization check for calling the RFC-capable function module itself (CALL
FUNCTION ''AUTHORITY_CHECK_RFC''). For more information, see SAP NetWeaver Library and choose RFC
Programming in ABAP.
For more information about the security of ALE connections, see SAP NetWeaver Security Guide ALE.
13.13.4.2.5 Data Storage Security
Data Storage
The payroll results are saved as compressed to an INDX-like table. In the standard system, access is protected
using the read and write authorizations for the infotypes and the authorizations for the required cluster.
The Payroll data and the posting to Accounting are saved to the databases of SAP NetWeaver Application Server
(AS) ABAP. Payroll uses the standard security concept of SAP NetWeaver AS for ABAP for this.
The payroll results in the table PCL2 are protected using the authorization object P_PCLX.
The posting data is stored in the table PPOIX and other transparent tables. Access to the posting data is regulated
using the report authorizations. For more information, see Authorizations under Payroll.
Caution
Data stored in database tables can be displayed using the transactions SE16 or SE16N even without an
application-specific authorization check. To prevent this, you remove the authorizations for these transactions
in productive systems or adjust them accordingly.
For more information, see SAP NetWeaver Library under Authorization Checks and in SAP NetWeaver
Application Server for ABAP. For the SAP NetWeaver Application Server for ABAP Security Guide, see SAP
Service Marketplace at http://service.sap.com/securityguide .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 523Using Logical Paths and File Names to Protect Access to the File System
Payroll saves data in files in the local file system. Therefore, it is important to assign explicit access to the
corresponding files in the file system without access to other directories or files (also called directory traversal).
This is achieved by entering logical paths and file names in the system that are assigned to the physical paths and
file names. This assignment is validated at runtime. If access to a directory is requested that does not correspond
to a stored assignment, an error occurs.
The following lists show the logical file names and paths that are used by Payroll, and the reports for which these
file names and paths are valid:
Logical File Names and Path Names Used in Payroll
The following logical file names and logical file paths were created using transaction FILE to facilitate the
validation of physical file names:
Table 314:
Logical File Name Reports That Use These Logical File Logical File Path
Names
HR_XX_DIR_RPUFCP01 RPUFCP01 HR_XX_DIR_RPUFCP01
In addition, country-specific logical file names and file paths were created for some country versions. For more
information, see the following sections of the Security Guide:
● Country-Specific Features: Canada
● Country-Specific Features: Germany
● Country-Specific Features: Great Britain
● Country-Specific Features: Non-Profit Organizations
● Country-Specific Features: Singapore
● Country-Specific Features: USA
● Country-Specific Features: Other Countries
Activating Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding reports. Due to downward
compatibility reasons, the validation is deactivated by default at runtime. To activate the validation at runtime, you
maintain the physical path using the transactions FILE (client-independent) and SF01 (client-dependent). To
determine which paths are used by your system, you can activate the corresponding settings in the Security Audit
Log.
For more information, see the following:
● Logical File Names
● Protecting Access to the File System
● Security Audit Log
Security Guide for SAP S/4HANA 1709
524 P U B L I C SAP S/4HANA Business Applications13.13.4.2.6 Security for Additional Applications
Display of Documents Using Remote Function Call (RFC)
Posting Data to Accounting
Administrators for Accounting can use the transaction PCP0 ( Display posting runs ) to display posting
documents for Human Resources by choosing Goto Document Overview Goto Accounting Documents .
The administrator requires a user for Human Resources that has the corresponding report authorizations for
posting data to Accounting (see Authorizations under Payroll ). You can also deactivate this option by removing
the corresponding ALE function module.
Conversely, the authorization check for displaying documents from Accounting must be made from the HR
system to Accounting.
External Wage Components
From the External Wage Components infotype (0579), users can display the original document for an external
wage component. The document is displayed using the function module HR_PCIF_SHOW_RECEIPT, which calls
an RFC-capable function module in the external system. This function module then has to perform its own checks.
The function module BAPI_WAGE_COMP_EXT_GET_LIST is used to display a list of data of the External Wage
Components infotype (0579). This uses the function module HR_CHECK_AUTHORITY_INFTY for the
authorization check.
For the detailed view, the function module BAPI_WAGECOMPEXT_GETDETAIL is used. This uses the function
module HR_READ_INFOTYPE for the authorization check.
For more information, see SAP Note 318789.
Interface Toolbox and Outsourcing
The interface toolbox (transaction PU12) uses the cluster IF. It uses the following authorization objects:
● P_PCLX
● P_PCR
● S_TMS_ACT
● P_PBSPWE
Outsourcing uses ALE and local files with file access using transaction AL11. This is controlled using user exits in
the interface toolbox.
In the standard system, Outsourcing uses the logical system FILEPORT. You can use the transaction WE21 to
define customer-specific logical systems.
The XML conversion to IDOC is made using the function module OUT_IDOC_XML_TRANSFORM of the function
group HROT and the function group IDOC_XML1 (RSIDOCWF). The function module GUI_DOWNLOAD (function
group SFES) is also called for the conversion.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 525Communication with Authorities
For more information, see B2A: Communication with Authorities .
TemSe Files
The country versions for Payroll use reports in which sensitive data is displayed. For example, this data can be
from the following sensitive areas:
● Salary
● Tax
● Social insurance
● Pension contributions
● Court orders
This data is saved in temporary sequential (TemSe) files. The TemSe process is used for the following purposes:
● To create and output statutory forms, statistics, and analyses
● To download data for the front end server or application server directly, without storing the data as TemSe
objects beforehand. The data can then be transferred from the front end server or application server to a data
medium that can be transferred to the authorities.
● For posting data to Accounting
Caution
We recommend you no longer use the TemSe process for posting data to Accounting. If you run
Accounting and Human Resources in separate systems, we recommend instead that you use Application
Link Enabling (ALE). For more information, see SAP Notes 560301, 121614, and 125164.
You can control access to the TemSe objects within the SAP ERP system using the authorization object
S_TMS_ACT ( TemSe: Actions on TemSe Objects) . Data encryption is not necessary here.
You can find information about the TemSe objects for your country version in the Payroll documentation for your
country version.
13.13.4.2.6.1 B2A: Communication with Authorities
This section of the Security Guide provides an overview of security-relevant information for B2A: Communication
with Authorities. B2A: Communication with Authorities is based on SAP ERP Central Component and Human
Resources. Therefore, the corresponding sections in the Security Guide also apply for B2A: Communication with
Authorities.
B2A: Communication with Authorities is used by the following country versions:
● Switzerland
For more information, see Country-Specific Features: Switzerland
● Germany
Security Guide for SAP S/4HANA 1709
526 P U B L I C SAP S/4HANA Business ApplicationsFor more information, see B2A: Communication with Authorities (PY-DE-BA).
● Great Britain
For more information, see Country-Specific Features: Great Britain
Underlying Security Guides
Table 315:
Security Guide of Scenario, Application, or Component Path
Secure Store and Forward (SSF) SAP NetWeaver Developers'' Guide in SAP NetWeaver Library
under Secure Store and Forward Mechanism (SSF)
SAP Business Connector (BC) SAP Business Connector Security Guide
SAP NetWeaver Exchange Infrastructure/Process Integration SAP Process Integration (PI) Security Guides
(XI/PI)
For a complete list of available SAP Security Guides, see SAP Service Marketplace at http://service.sap.com/
securityguide .
Important SAP Notes
Currently, there are no security-relevant SAP Notes for B2A.
Authorizations
For more information, see Authorizations.
13.13.4.2.6.1.1 Authorizations
Use
B2A: Communication with Authorities uses the authorization concept provided by SAP NetWeaver AS for ABAP .
Therefore, the security recommendations and guidelines for authorizations as described in the SAP NetWeaver
AS Security Guide ABAP also apply to B2A: Communication with Authorities.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 527Roles and Authorization Concept for B2A: Communication with Authorities
Standard Roles
Currently, there are no application-specific roles available.
Standard Authorization Objects
The following table shows the authorization objects relevant for security used by B2A: Communication with
Authorities.
Table 316: Standard Authorization Objects
Authorization Object Field Value Description
P_B2A (HR-B2A: B2A MOLGA Country Grouping: Unique You use this authorization ob
Manager) identifier for a country, for ex ject to determine the authori
ample, 01 for Germany zation check for B2A Man
ager. You need to maintain
this authorization object only
if you use B2A Manager.
B2A_WERKS Authorization Check – Per
sonnel Area
B2A_BTRTL Authorization Check – Per
sonnel Subarea
SAGRP Area – identifies an applica
tion in Human Resources
DOCTY Document Type – includes
documents of the same type
within an area within the
framework of the B2A func
tions
B2A_ACTIO ● S – Send Messages
● D – Detail View for Mes
sages
● R – Reorganize Mes
sages
● L – Delete Messages
● Z – Convert Status of
Messages
13.13.4.2.7 Country-Specific Features
The following chapters contain information on country-specific features.
Security Guide for SAP S/4HANA 1709
528 P U B L I C SAP S/4HANA Business Applications13.13.4.2.7.1 Country-Specific Features: Australia
Sensitive Data
The Human Resources infotypes often contain sensitive data. This data is protected by central authorization
objects. For the country version for Australia (PY-AU, PA-PA-AU), this affects the tax file number (TFN number) in
the infotype TFN Australia (0227), for example.
More Information
Payroll (PY)
13.13.4.2.7.2 Country-Specific Features: Canada
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security under Payroll.
The following contains specific information about the logical file names and path names for Payroll Canada (PY-
CA).
Logical File Names Used in Payroll Canada
The following logical file names were created to facilitate the validation of physical file names:
Table 317: Logical File Names and Reports
Logical File Name Reports That Use These Logical File Names
HR_CA_DIR_CRA_XML_FILE_NAME_APPV RPCYERK3_XML
HR_CA_DIR_CRA_XML_FILE_NAME_FEND RPCYERK3_XML
HR_CA_DIR_CRA_XML_SCH_NAME_FEND RPCYERK3_XML
HR_CA_DIR_MRQ_XML_FILE_NAME_APPV RPCYERK3_MRQ_XML
HR_CA_DIR_MRQ_XML_FILE_NAME_FEND RPCYERK3_MRQ_XML
HR_CA_DIR_MRQ_XML_SCH_NAME_APPV RPCYERK3_MRQ_XML
HR_CA_DIR_MRQ_XML_SCH_NAME_FEND RPCYERK3_MRQ_XML
HR_CA_DIR_ROE_FILE_NAME RPCROEK0_DISPLAY_XML
HR_CA_DIR_ROE_FILE_NAME RPCROEK0_XMPORTER
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 529Logical File Name Reports That Use These Logical File Names
HR_CA_DIR_XML_FILE_NAME_FEND RPCXMLK0_VALIDATE
HR_CA_DIR_XML_SCH_NAME_FEND RPCXMLK0_VALIDATE
Logical Path Names Used in Payroll Canada
The logical file names listed above all use the logical file path HR_CA_FILE_PATH.
Particularly Sensitive Data
The Human Resources infotypes often contain sensitive data. This data is protected by central authorization
objects. For the country version for Canada, this includes the social insurance number (SNI number) in the
infotype Personal Data (0002).
More Information
See Payroll (PY) in the S/4HANA Security Guide.
13.13.4.2.7.3 Country-Specific Features: Switzerland
Authorizations
The country version for Switzerland (PA-PA-CH, PY-CH) uses the standard authorization concept used by S/
4HANA. Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply
to the country version for Switzerland.
Standard Authorization Objects
The country version for Switzerland uses the security-relevant authorization objects that are available for
Personnel Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Switzerland.
Security Guide for SAP S/4HANA 1709
530 P U B L I C SAP S/4HANA Business ApplicationsTable 318: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_CH_PK KONNR (Individual PF Account HR-CH: Pension Fund: Ac
Number) count Access (see
AUTGR (HR-CH: Authorization Authorizations for Human
group for PF accounts) Resources Technical
PKKLV (HR-CH: Pension fund : Aspects Authorization
Authorization level for ac Objects P_CH_PK (HR-CH:
count access) Pension Fund: Account
Access) )
For the documentation for the authorization object P_CH_PK, see SAP Library for S/4HANA and choose Human
Resources HR Tools Authorizations for Human Resources Technical Aspects Authorization Objects .
Communication Channel Security
The following table presents the communication paths used by the country version for Switzerland for B2A:
Communication with Authorities, the protocol used by the connection, and the type of data transferred.
Table 319:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
ELM (Uniform Wage Notifica External communication be Personnel data Personal data
tion Procedure) tween PI* and distributor/
authorities: HTTPS
Internal communication be
tween HR backend system
and PI: RFC Adapter
Internal communication be
tween PI and PI: HTTP(S)
* PI = SAP NetWeaver Exchange Infrastructure/Process Integration (XI/PI)
You can use Secure Network Communications (SNC) to protect RFC connections. The Secure Sockets Layer
protocol (SSL protocol) protects HTTP connections.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
For more information about B2A security, see B2A: Communication with Authorities.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 531More Information
See S/4 Security Guide for Human Resources and choosePayroll (PY)
13.13.4.2.7.4 Country-Specific Features: Germany
Authorizations
The country version for Germany (Payroll and/or Personnel Administration) uses the standard authorization
concept used by S/4HANA. Therefore, the recommendations and guidelines for authorizations as described for
S/4HANA also apply to the country version for Germany (PY-DE, PA-PA-DE).
Standard Roles
For information about the standard roles used by Payroll, see Authorizations.
The following table shows the standard roles that the country version for Germany also uses.
Table 320: Standard Roles
Role Description
SAP_AUDITOR_TAX_HR Role HR-DE Audit § 147 AO (Template) for Personnel Adminis
tration Germany (PA-PA-DE)
Standard Authorization Objects
The country version for Germany uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Germany.
Security Guide for SAP S/4HANA 1709
532 P U B L I C SAP S/4HANA Business ApplicationsTable 321: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_DBAU_SKV ACTVT ● Add or Create This object is only used in
Construction Pay Germany
HR: DBAU: Construction In ● Display
dustry Germany - Social Fund ● Delete and then only within the
framework of the report for
Procedure
the social fund procedure. A
check is made as to which re
ports are to be run by an ad
ministrator using which pa
rameters or worksteps.
For more information, see
SAP Library for S/4HANA un
der P_DBAU_SKV (HR: DBAU:
Construction Pay Germany –
Social Fund Procedure)
REPID ABAP Report Name: Contains
the name of a report in which
the authorization object is
checked, for example, the
evaluation report for the so
cial fund procedure. The au
thorization granted applies
only to this report.
RZNUM Data Center Number for Con
struction Industry Social Fund
Determines the data center
numbers to which a granted
authorization applies
ZVKAS Social Fund
Determines the social funds
for which a granted authoriza
tion applies
P_DE_BW BEWID Statement Identifier This object determines the
authorization check within
HR-DE: SAPScript State Identifies exactly one state
Statements (with SAPScript)
ments ment within Statements
for German Payroll.
For more information, see
SAP Library for S/4HANA un
der P_DE_BW (HR-DE:
Statements SAPScript)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 533Authorization Object Field Value Description
BSUBJ Functional Area ID for State
ments
Logical subdivision of state
ments according to individual
topics
Values 01–04
BACT ● E = Creation of State
ments
● A = Asynchronous Ar
chiving
● S = Fast Data Entry/Ad-
hoc Query
● D = Create Data Records
● V = Administrate Ar
chived Statements
● Z = Display Archived
Statements
For the documentation for the authorization objects, see SAP Library for S/4HANA and choose Human
Resources HR Tools Authorizations for Human Resources Technical Aspects Authorization Objects .
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll Germany (PY-
DE).
Logical File Names Used in Payroll Germany
The following logical file names and logical file paths were created to facilitate the validation of physical file names:
Table 322: Logical File Names, Reports, and File Paths
Logical File Name Reports That Use These Logical File Logical File Path
Names
HR_DE_DIR_B2A_KK_ZERTLIST RPUSVKD0 HR_DE_B2A_KK_ZERTLIST
HR_DE_DIR_B2A_KK_ZERTREQUEST RPUSVKD0 HR_DE_B2A_KK_ZERTREQUEST
HR_DE_DIR_B2A_KK_ZERTRESPONSE RPUSVKD0 HR_DE_B2A_KK_ZERTRESPONSE
HR_DE_DIR_RBM_IN RPCRBMD0_INBOUND HR_DE_DIR_RBM_IN
Security Guide for SAP S/4HANA 1709
534 P U B L I C SAP S/4HANA Business ApplicationsLogical File Name Reports That Use These Logical File Logical File Path
Names
HR_DE_DIR_RBM_OUT RPCZFADD_INBOUND HR_DE_DIR_RBM_OUT
HR_DE_DIR_RBM_PRO RPCRBMD0_INBOUND HR_DE_DIR_RBM_PRO
HR_DE_DIR_RPCAODD0 RPCAOPD0 HR_DE_TX_DATENUEBERLASSUNG_PFAD
RPCOADD0
HR_DE_DIR_RPCEHBD0 RPCEHBD0 HR_DE_DIR_RPCEHBD0
HR_DE_DIR_RPCEHCD1 RPCEHCD1 HR_DE_DIR_RPCEHCD1
HR_DE_DIR_RPCEHFD0 RPCEHFD0 HR_DE_DIR_RPCEHFD0
HR_DE_DIR_RPCSVGD0 RPCSVGD0 HR_DE_DIR_RPCSVGD0
HR_DE_DIR_RPLEHAD3 RPLEHAD3 HR_DE_DIR_RPLEHAD3
HR_DE_DIR_RPSKGOD0 RPSKGOD0 HR_DE_DIR_RPSKGOD0
HR_DE_DIR_RPSPSDD0 RPSPSDD0 HR_DE_DIR_RPSPSDD0
HR_DE_DIR_RPURZBD0 RPURZBD0 HR_DE_DIR_RPURZBD0
HR_DE_DIR_RPUTXCD0 RPUTXCD0 HR_DE_TX_RPUTXED0_PFAD
HR_DE_DIR_RPUTXED0 RPUTXED0 HR_DE_TX_RPUTXED0_PFAD
HR_DE_DIR_RPUVEODD RPUVEODD HR_DE_DIR_RPUVEODD
HR_DE_DIR_RPUWEDDA RPUWEDDA HR_DE_DIR_RPUWEDDA
HR_DE_DIR_RPUZVCD2 RPUZVCD2 HR_DE_PBSZV2006_NOTIFS
HR_DE_DIR_RPUZVTD2 RPUZVTD2 HR_DE_PBSZV2006_NOTIFS
HR_DE_DIR_RPXKHSD0 RPXKHSD0 HR_DE_DIR_RPXKHSD0
HR_DE_DIR_ZFA_INCOMING RPCZFADD_INBOUND HR_DE_DIR_ZFA_INCOMING
HR_DE_DIR_ZFA_OUTGOING RPCZFADD_INBOUND HR_DE_DIR_ZFA_OUTGOING
HR_DE_DIR_ZFA_PROCESSED RPCZFADD_INBOUND HR_DE_DIR_ZFA_PROCESSED
More Information
See Payroll (PY) under S/4HANA Security Guide Human Resources.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 53513.13.4.2.7.4.1 B2A: Communication with Authorities (PY-DE-
BA)
About This Chapter
This section of the Security Guide provides an overview of security-relevant information for B2A: Communication
with Authorities (PY-DE-BA).
References to Cross Chapters
B2A: Communication with Authorities (PY-DE-BA) is based on S/4HANA, Human Resources, or Personnel
Management. Therefore, the corresponding Security Guides also apply to B2A: Communication with Authorities
(PY-DE-BA). Note in particular the most important sections or specific restrictions that are entered in the
following table.
Underlying Security Guides
Table 323:
Security Guide of Scenario, Application, or Component Path
Secure Store and Forward SAP NetWeaver Developers'' Guide in SAP NetWeaver Library
under Secure Store and Forward Mechanism (SSF)
(SSF)
SAP Business Connector http://service.sap.com/securityguide SAP Business
(BC) Connector Security Guide
SAP NetWeaver Exchange Infrastructure/Process Integration http://service.sap.com/securityguide SAP Process
(XI/PI) Integration (PI) Security Guides
For a complete list of available SAP Security Guides, see SAP Service Marketplace at http://service.sap.com/
securityguide .
Important SAP Notes
Currently, there are no security-relevant SAP Notes for B2A.
Security Guide for SAP S/4HANA 1709
536 P U B L I C SAP S/4HANA Business ApplicationsConfiguration
For information about the general settings for setting up B2A: Communication with Authorities (PY-DE-BA), see
Customizing for Payroll under Payroll: Germany Communication with Authorities (B2A) .
Data Flow and Process
● • ELSTER: The data is encrypted and signed before being transferred from the HR system to the tax
authorities.
● • ELENA: The data is encrypted and signed before being transferred from the HR system to the pension
insurance.
● • SI (DEUEV, …): The data is encrypted and signed before being transferred from the HR system to the health
insurance fund.
Authorizations
For more information, see Authorizations under B2A: Communication with Authorities.
13.13.4.2.7.4.1.1 Communication Channel Security
Use
The following table shows the communication paths that B2A: Communication with Authorities (PY-DE-BA) uses,
the protocol used for the connection, and the type of data transferred.
Table 324:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
ELSTER HTTP Personnel data Person-related data
Internal: HR system -> Mid
dleware (BC or PI): Communi
cation channel RFC
External: Middleware -> Tax
authorities: Communication
channel HTTP
ELENA HTTP/HTTPS/E-mail Personnel Data Person-related data
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 537Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
SI (DEUEV, …) HTTP/E-mail Personnel data Person-related data
ZfA/PRN VPN Personnel data Person-related data
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
Communication Destinations
The following table provides an overview of the communication destinations that B2A: Communication with
Authorities (PY-DE-BA) uses.
Table 325:
Destination Provided Type Description
HR_DE_ELSTER No RFC Transfer of data for ELSTER
to middleware (BC, XI)
HR_DE_ELENA No HTTP/HTTPS Transfer of data for ELENA to
pension insurance
HR_DE_GKV No HTTP Transfer of data for GKV to
health insurance
Security-Relevant Logging and Tracing
● ELSTER: Tracing for error analysis using BI/BC is possible.
● ELENA: Tracing for error analysis using BC is possible.
● SI (DEUEV, …): Tracing for error analysis using ICM (transaction: SMICM) is possible.
● ZfA/PRN: Tracing for error analysis using ICM (transaction: SMICM) is possible.
Security Guide for SAP S/4HANA 1709
538 P U B L I C SAP S/4HANA Business Applications13.13.4.2.7.5 Country-Specific Features: Denmark
Authorizations
The country version for Denmark (PA-PA-DK, PY-DK) uses the standard authorization concept used by S/4HANA.
Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply to the
country version for Denmark.
Standard Authorization Objects
The country version for Denmark uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Denmark.
Table 326: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_DK_PBS PBSFIRMA HR_DK (Company Authorization check for PBS
Used for PBS) companies (see P_DK_PBS
(HR-DK: Authorization check
for access to PBS company))
For the documentation for the authorization object P_DK_PBS, see SAP Library for S/4HANA and choose
Human Resources HR Tools Authorizations for Human Resources Technical Aspects Authorization
Objects .
More Information
See Payroll (PY) under S/4HANA Security Guide for Human Resources
13.13.4.2.7.6 Country-Specific Features: Spain
Authorizations
The country version for Spain (PA-PA-ES, PY-ES) uses the standard authorization concept used by S/4HANA.
Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply to the
country version for Spain.
Standard Authorization Objects
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 539The country version for Spain uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Spain.
Table 327: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_ES_PA_OK INFTY (Infotype) Authorization check for the
SUBTY function codes that are per
(Subtype)
mitted for the HR master data
PES_SPRPS (Lock indicator of the country version for
for HR master record) Spain
PES_FCODE (Function code)
ACTVT (Activity)
More Information
See Payroll (PY) under S/4HANA Security Guide for Human Resources.
13.13.4.2.7.7 Country-Specific Features: Great Britain
Communication Channel Security
The following table presents the communication paths used by the country version for Great Britain (PY-GB, PA-
PA-GB) for B2A: Communication with Authorities, the protocol used by the connection, and the type of data
transferred.
Security Guide for SAP S/4HANA 1709
540 P U B L I C SAP S/4HANA Business ApplicationsTable 328:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
E-Filing Internal communication be Personnel Data Personal Data
tween HR backend system
and middleware: HTTP(S)
(SAP Business Connector
(BC): TCP/IP or PI*: Proxy)
External communication be
tween middleware and tax au
thorities: HTTP(S)
* PI = SAP NetWeaver Exchange Infrastructure/Process Integration (XI/PI)
HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
For more information about B2A security, see B2A: Communication with Authorities.
For an introduction and user guide for E-Filing Incoming, see SAP Service Marketplace at http://service.sap.com/
hrgb in the Media Center.
Communication Destinations
You can communicate with the GB Inland Revenue Gateway. The communication channel is encrypted with 128
Bit SSL. The employees'' tax data is transferred via RFC connections and using the protocol HTTPS.
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll Great Britain
(PY-GB).
Logical File Names Used in Payroll Great Britain
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 541The following logical file names were created to facilitate the validation of physical file names:
Table 329: Logical File Names and Reports
Logical File Name Reports That Use These Logical File Names
HR_GB_DIR_RPUASHG0 RPUASHG0
HR_GB_DIR_RPUHESG1 RPUHESG1
HR_GB_DIR_RPUTPSG0 RPUTPSG0
HR_GB_DIR_RPUUSSG0 RPUUSSG0
HR_GB_DIR_RPUUSSG1 RPUUSSG1
Logical Path Names Used in Payroll Great Britain
The logical file names listed above all use the logical file path HR_GB_DIR_FILEPATH.
More Information
See Payroll (PY) under S/4HANA Security Guide for Human Resources
13.13.4.2.7.8 Country-Specific Features: The Netherlands
Authorizations
The country version for The Netherlands (PA-PA-NL, PY-NL) uses the standard authorization concept used by S/
4HANA. Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply
to the country version for The Netherlands.
Standard Authorization Objects
The country version for The Netherlands uses the security-relevant authorization objects that are available for
Personnel Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
The Netherlands.
Security Guide for SAP S/4HANA 1709
542 P U B L I C SAP S/4HANA Business ApplicationsTable 330: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_NL_AEDM JUPER (Legal person) HR: Authorization object for
ACTVT Day-one-announcement
(Activity)
P_NL_LA06 JUPER (Legal person) HR: Authorization object for
ACTVT wage return 2006
(Activity)
P_NL_PKAB ACTVT (Activity) Authorization object for PF
Actuarial file
P_NL_PKEV KASSE (Pension Fund) Authorization object for PF
EVENT events
(HR-NL: Event)
PKELV (Authorization level for
reading event)
P_NL_PKFKT PKNL_PKFKT (PK Function) Authorization object for PF
functions
P_NL_PKFXV KASSE (Pension Fund) Authorization object for PF
PKNL_FXVIE function views
(Function view
of fund)
P_NL_PKTB ACTVT (Activity) Authorization object for PF
pay scale calculation
Communication Destinations
You can use the Gemeentelijke Basis Administratie (GBA) interface to upload the inbound data for retirement
pension plan for the country version for The Netherlands.
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 54313.13.4.2.7.9 Country-Specific Features: Italy
Important SAP Notes
The following table presents the most important SAP Notes regarding security for the country version for Italy
(PA-PA-IT, PY-IT).
Table 331:
Title SAP Note Comment
Change of master data in a productive 385319
payroll
Authorizations
The country version for Italy uses the standard authorization concept used by S/4HANA. Therefore, the
recommendations and guidelines for authorizations as described for S/4HANA also apply to the country version
for Italy.
Standard Authorization Objects
The country version for Italy uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
Country-Specific Authorization Objects
The following table shows the security-relevant authorization objects that are also used in the country version for
Italy.
Table 332: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_IT_UERST P_RESET (Reject posting for Authorization for termination
social insurance) of social insurance (report
RPCUEDI0)
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources
Security Guide for SAP S/4HANA 1709
544 P U B L I C SAP S/4HANA Business Applications13.13.4.2.7.10 Country-Specific Features: Non-Profit
Organizations
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll for Non-Profit
Organizations (PY-NGO).
Logical File Names Used in Payroll for Non-Profit Organizations
The following logical file names were created to facilitate the validation of physical file names:
Table 333: Logical File Names and Reports
Logical File Name Reports That Use These Logical File Names
HR_UNUCMT_LOADER_FILE HUNUCMT_LOADER
Logical Path Names Used in Payroll for Non-Profit Organizations
The logical file names listed above all use the logical file path HR_UN_FILEPATH.
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources
13.13.4.2.7.11 Country-Specific Features: Norway
Authorizations
The country version for Norway (PY-NO, PA-PA-NO) uses the standard authorization concept used by S/4HANA.
Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply to the
country version for Norway.
Standard Authorization Objects
The country version for Norway uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Norway.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 545Table 334: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_NO_ALTIN ACTVT (Activity) Norway: Authorization to
send data to Altinn Portal
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.2.7.12 Country-Specific Features: New Zealand
Sensitive Data
The Human Resources infotypes often contain sensitive data. This data is protected by central authorization
objects. For the country version for New Zealand (PY-NZ, PA-PA-NZ), this affects the employee IRD number in the
infotype IRD Nbr New Zealand (0309). You have the following options for accessing the number:
● Directly using the infotype IRD Nbr New Zealand (0309) with the transaction Maintain HR Master Data (PA30)
● By choosing the IRD Number pushbutton in the infotype Tax New Zealand (0313).
The authorizations required to read or change the IRD number depend on the authorizations in the user profile.
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.2.7.13 Country-Specific Features: Russia
Authorizations
The country version for Russia (PA-PA-RU, PY-RU) uses the standard authorization concept used by S/4HANA.
Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply to the
country version for Russia.
Standard Authorization Objects
The country version for Russia uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
Security Guide for SAP S/4HANA 1709
546 P U B L I C SAP S/4HANA Business ApplicationsFor more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
Russia.
Table 335: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_RU_0294C AUTHC (Authorization level) HR-RU: Authorization for
checking records of infotype
0294
P_RU_PKMN HR_RU_EVNT (Count parame Authorization for checking
ter) HR_RU_PF DMS – Package
HR_RU_PKID Manager
(Package type)
HR_RU_REGN (Registration
number)
HR_RU_USER (Name of pro
cessor who changed the ob
ject)
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.2.7.14 Country-Specific Features: Saudi Arabia
Authorizations
The country version for Saudi Arabia (PA-PA-SA, PY-SA) uses the standard authorization concept of S/4HANA.
Therefore, the recommendations and guidelines for authorizations as described for S/4HANA also apply to this
country version.
Standard Authorization Group
Authorization group PCSA is provided with this country version.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 54713.13.4.2.7.15 Country-Specific Features: Singapore
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll Singapore (PY-
SG).
Logical File Names Used in Payroll Singapore
The following logical file names were created to facilitate the validation of physical file names:
Table 336: Logical File Names and Reports
Logical File Name Reports That Use These Logical File Names
HR_SG_DIR_NRSFILENAME RPCNRSR0_XML_ALV
Logical Path Names Used in Payroll Singapore
The logical file names listed above all use the logical file path HR_SG_DIR_NRS.
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.2.7.16 Country-Specific Features: USA
Important SAP Notes
The following table presents the most important SAP Notes regarding security for the country version for USA
(PA-PA-US, PY-US).
Table 337:
Title SAP Note Comment
Tax Reporter Transaction and Spool Se 430595
curity
Security Guide for SAP S/4HANA 1709
548 P U B L I C SAP S/4HANA Business ApplicationsAuthorizations
The country version for USA uses the standard authorization concept used by S/4HANA. Therefore, the
recommendations and guidelines for authorizations as described for S/4HANA also apply to the country version
for USA.
Standard Authorization Objects
The country version for USA uses the security-relevant authorization objects that are available for Personnel
Management and Payroll.
For more information, see the following:
● Authorizations (Personnel Management)
● Authorizations (Payroll)
The following table shows the security-relevant authorization objects that are also used in the country version for
USA.
Table 338: Country-Specific Authorization Objects
Authorization Object Field Value Description
P_USTR ACTVT (Activity) Authorizations for Tax Report
PERSA (Personnel Area)
BTRTL (Personnel Subarea)
Communication Channel Security
The following table shows the communication paths that the country version for USA uses, the protocol used for
the connection, and the type of data transferred.
Table 339:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
BSI Tax Factory for tax calcu RFC Tax data for the country ver
lation sion for USA
You can use Secure Network Communications (SNC) to protect RFC connections.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 549Communication Destinations
You can exchange data with local servers or terminals for the VET and EEO reports for the country version for
USA. You can use this function to download files from the application server to a presentation server. You then
receive the text files required by the authorities with the output format .txt. This output format complies with the
law.
The data is not encrypted in the standard system. It is your decision as to the level of encryption that you want to
use if you want to send the data to the Federal Commission or Department of Labor.
The following table presents an overview of the communication destinations that the country version for USA
uses.
Table 340: Communication Destinations
Destination Provided Type Description
BSI For country version for USA RFC with the function module PAYROLL_TAX_CALC_US_50
PAYROLL_TAX_CALC_US PAYROLL_TAX_CALC_US_60
PAYROLL_TAX_CALC_US_70
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll USA (PY-US).
Logical File Names Used in Payroll USA
The following logical file names were created to facilitate the validation of physical file names:
Table 341: Logical File Names and Reports
Logical File Name Reports That Use These Logical File Names
HR_US_TR_XML_SCHEMA RPCTRTU1_XML
Logical Path Names Used in Payroll USA
The logical file names listed above all use the logical file path HR_US_TR.
Particularly Sensitive Data
The Human Resources infotypes often contain sensitive data. This data is protected by central authorization
objects. For the country version for USA, this includes the social security number (SSN number) in the infotype
Personal Data (0002).
Security Guide for SAP S/4HANA 1709
550 P U B L I C SAP S/4HANA Business ApplicationsOther Security-Relevant Information
You can use the interface toolbox (transaction PU12) to update the taxability model. Currently, there are no
special authorizations for this. For more information about the interface toolbox, see section Security for
Additional Applications under Payroll.
You have the following options to prevent unauthorized or unintentional updates of the database PCL4:
● You can use the feature UTXSS to activate and deactivate the authorization checks for the tax report.
● You can use the feature UTXSP to specify codes for spool authorizations depending on the tax company and
the tax class.
For more information, see the documentation of the features in the S/4HANA system.
More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.2.7.17 Country-Specific Features: Other Countries
Data Storage Security
For general information about data storage security in Payroll, see Data Storage Security.
The following contains specific information about the logical file names and path names for Payroll for Other
Countries (PY-XX).
Logical File Names Used in Payroll for Other Countries
The following logical file names and logical file paths were created to facilitate the validation of physical file names:
Table 342: Logical File Names, Reports/Function Modules, and File Paths
Logical File Name Reports or Function Modules That Use Logical File Path
These Logical File Names
HR_XX_DIR_B2AFILE Report H99_B2AFILE HR_XX_DIR_B2AFILE
HR_XX_DIR_RPUFCP01 Report RPUFCP01 HR_XX_DIR_RPUFCP01
HR_XX_DIR_RH_CALL_ORGDISPLAY Function module HR_XX_DIR_RH_CALL_ORGDISPLAY
RH_CALL_ORGDISPLAY
HR_XX_DIR_RHMOVE40 Report RHMOVE40 PD_DATASET
HR_OT_FILEPORT Report RPUOTFL0 HR_OT_DIR_FILEPORT
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 551More Information
See Payroll (PY) in the S/4HANA Security Guide for Human Resources.
13.13.4.3 Self-Services
13.13.4.3.1 Important SAP Notes
Definition
This chapter of the Security Guide provides you with information about the following self-service components:
● Business Unit Analyst (BUA)
● Project Self-Services (PSS)
● Higher Education and Research (IS-HER-CSS)
● General Parts (PCUI_GP)
If not stated otherwise, the security settings for user management and authorizations apply to all of the afore-
mentioned components.
The following self-service components have their own sections in this chapter:
● Employee Self-Service
● Manager Self-Service
Note
For these components, all security-relevant information is included in the relevant subsections.
Important SAP Notes
The table below shows important SAP Notes that apply to the security for some Self-Service applications. For
more information about standard roles for assigning authorization in the Self-Service applications, see the
Authorizations section of this Security Guide.
Security Guide for SAP S/4HANA 1709
552 P U B L I C SAP S/4HANA Business ApplicationsTable 343: Important SAP Notes
SAP Note Number Title Comment
846439 PSS: Authorizations and roles for Web This SAP Note contains the authoriza
Dynpro tion objects and the default values de
fined for the Web Dynpro applications
for Project Self-Services (component EP-
PCT-PLM-PSS).
13.13.4.3.2 User Management
Use
User management for Self-Service applications uses the mechanisms provided with the SAP NetWeaver
Application Server , for example, tools, user types, and password policy . For an overview of how these
mechanisms apply for Self-Service applications, see the sections below.
User Administration Tools
The table below shows the tools to use for user management and user administration with the Self-Service
applications.
Table 344: User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance in SAP You can use the Role Maintenance
NetWeaver AS for ABAP (transactions (PFCG) transaction to generate profiles
SU01 and PFCG) for your self-service users.
For more information, see the User and Roles section inSAPLibrary for SAP NetWeaver (see also help.sap.com
Documentation SAPNetWeaver ).
User Types
For information about the user types , see the SAP NetWeaver Application Server ABAP Security Guide.
Recommendation
For portal roles, we recommend that you set up the connection between the portal and the connected systems
( ECC system, J2EE Engine, BW system) such that each individual user has access.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 553Standard Users
Table 345:
Component Standard Users
Project Self-Service No standard users exist in the standard SAP system for these
components.
Business Unit Analyst
Higher Education and Research For information about the standard users for this component,
see the Security Guide for this component.
13.13.4.3.3 Authorizations
Use
The Self-Service applications use the authorization concept provided by SAP NetWeaver Application Server .
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security
Guide for ABAP also apply to the Self-Service applications.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based
on roles. For role maintenance, use the Profile Generator (transaction PFCG). For more information, see Editing
Roles and Authorizations for Web Dynpro Services .
Standard Roles
Business Unit Analyst and Project Self-Services
There are no standard roles for these components.
Higher Education and Research
For information about the standard roles for this component, see the Security Guide for this component.
Standard Authorization Objects
The table below shows the general security-relevant authorization objects that are used by the Self-Service
applications.
Table 346: Standard Authorization Objects for Self-Service Applications:
Authorization Object Field Value Description
Security Guide for SAP S/4HANA 1709
554 P U B L I C SAP S/4HANA Business ApplicationsS_RFC RFC_NAME Depends on service Saves data when the back-
end system is accessed via
RFC from the Web Dynpro
front end.
Higher Education and Research
For information about the standard authorization objects for this component, see the Security Guide for this
component.
Internal Service Request and Personnel Change Requests
For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change
Requests , see SAP Note 623650.
13.13.4.3.3.1 Maintain Roles and Authorizations for Web
Dynpro Services
Use
You use this procedure to maintain roles, their associated Web Dynpro services, and authorizations.
Procedure
1. In transaction PFCG, create a role or select an existing default role for the component. Choose Create Role or
copy the existing default role.
2. Assign the services you require to the role.
1. On the Menu tab page, choose Authorization Default .
The Service dialog box appears.
2. Select the External Service checkbox.
3. Select WEBDYNPRO as the external service type.
4. In the Service field, select the Web Dynpro service you require.
5. Choose Save.
The authorization objects and default values maintained for the service are then displayed in the menu
tree structure.
In the same manner, select all the Web Dynpro services that you want to use.
3. Assign the required authorizations.
To do this, choose the Authorizations tab page to maintain the authorization objects and values in accordance
with your requirements.
For more detailed information about role maintenance, see Role Maintenance In the Users and Roles section in
SAP Library for SAP NetWeaver (see also help.sap.com Documentation SAP NetWeaver ).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 55513.13.4.3.3.2 Authorizations for Controlling Services (BUA)
The table below shows the standard authorization objects that are used by the controlling services in Business
Unit Analyst (BUA) .
Note
These authorization objects are also used by the controlling services in Business Package for Manager Self-
Service (MSS) .
Table 347:
Authorization Object Description
K_CCA General authorization object for Cost Center Accounting.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
K_ORDER General authorization object for internal orders.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
K_PCA Area responsible, Profit Center.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
K_CSKS_PLA Cost element planning.
Is checked in the relevant Express Planning services.
K_FPB_EXP Authorization object for Express Planning.
This authorization object checks the Express Planning Frame
work call and the planning round call. The actual plan data is
protected by the authorization objects for the individual Ex
press Planning services.
Note
For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP
Note 15211.
13.13.4.3.4 Employee Self-Service
About This Document
This chapter provides an overview of the security-relevant information that applies to Employee Self-Service (CA-
ESS).
Security Guide for SAP S/4HANA 1709
556 P U B L I C SAP S/4HANA Business ApplicationsThe following deployment options are available for Employee Self-Service (ESS):
● Business Package for Employee Self-Service (up to and including 1.50)
This Business Package is a “classic” SAP Business Package that runs in the SAP Enterprise Portal. The Portal
role consists of worksets and iViews based on Web Dynpro ABAP technologies.
● Business Package for Employee Self-Service (WDA)
This Business Package also runs in the SAP Enterprise Portal but it has only one workset with one iView that
launches the role structure with the applications maintained in the back-end system. In this business
package, all applications are based on Web Dynpro ABAP technology.
● Employee Self-Service in SAP Business Client for HTML
The role structure of this deployment option is maintained in the back-end system with the SAP role
maintenance transaction PFCG. All applications available with this role are based on Web Dynpro ABAP
technology.
Note
Some parts of the security information in this chapter only apply to individual ESS deployment options. In this
case, you will find a comment explaining for which deployment option this information is valid right at the
beginning of each section. If not stated otherwise, the security information in this chapter applies to all ESS
deployment options.
See also:
● For more information about the roles in SAP Enterprise Portal, see SAP Library for S/4HANA on SAP Help
Portal at Cross-Application Functions in SAP ERP Roles Business Packages (Portal Content) .
● For more information about the roles in SAP Business Client, see SAP Library for S/4HANA on SAP Help
Portal at Cross-Application Functions in SAP ERP Roles Roles in SAP NetWeaver Business Client .
● For more information about SAP Business Client, see SAP Library for SAP NetWeaver on SAP Help Portal at
SAP NetWeaver by Key Capability Application Platform by Key Capability ABAP Technology UI
Technology SAP NetWeaver Business Client .
Overview of the Main Sections of This Chapter
This chapter comprises the following sections with security-related topics specific to Employee Self-Service:
● Before You Start
This section comprises references to other Security Guides that are relevant for Employee Self-Service and a
list of the most important notes for Employee Self-Service regarding security.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects for
Employee Self-Service:
○ User Management
This section contains information about the user types that are required by Employee Self-Service and
standard users for Employee Self-Service.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 557○ Integration into Single Sign-On Environments
This topic describes how the Employee Self-Service supports Single Sign-On mechanisms.
● Authorizations
This section provides an overview of the authorization concept that applies to Employee Self-Service.
● Session Security Protection
This section provides information on activating secure session management.
● Network and Communication Security
This section provides an overview of the communication paths used by Employee Self-Service and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level:
○ Communication Channel Security
○ Network Security
○ Communication Destinations
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
Employee Self-Service.
● Security-Relevant Logging and Tracing
This section provides an overview of the logging and tracing mechanisms that apply to Employee Self-Service.
13.13.4.3.4.1 User Administration and Authentication
User management for Employee Self-Service uses the mechanisms provided with the SAP NetWeaver Application
Server for ABAP:
The security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Application Server for ABAP Security Guide apply for Employee Self-Service (WDA) in SAP NetWeaver
Business Client for HTML apply to the ESS business packages (Business Package for Employee Self-Service) and
Business Package for Employee Self-Service (WDA).
In addition to these guidelines, information about user administration and authentication that specifically applies
to Employee Self-Service is included in the following sections:
● User Management
● Integration into Single Sign-On Environments
13.13.4.3.4.1.1 User Management
Use
User management for Employee Self-Service (WDA) in SAP NetWeaver Business Client for HTML uses the
mechanisms provided with the SAP NetWeaver Application Server for ABAP.
For an overview of how these mechanisms apply to Employee Self-Service, see the sections below.
Security Guide for SAP S/4HANA 1709
558 P U B L I C SAP S/4HANA Business ApplicationsUser Administration Tools
The table below shows the tools to use for user management and user administration with Employee Self-Service.
Table 348: User Management Tools
Tool Detailed Description Comment
User maintenance for ABAP-based sys You use the user maintenance transac Used for all ESS deployment options
tems (transaction SU01) tion to generate users in the ABAP-
based systems and to assign authoriza
tion profiles.
Role maintenance (transaction PFCG) You use the role maintenance transac Used for all ESS deployment options
tion to generate authorization profiles
for your self-service users.
For more information, see User and Role
Administration of AS ABAP.
Note
For the ESS business packages, you must perform user mapping for the users in the ABAP system and the
Portal. For more information, see Assigning Portal Roles to Users.
Caution
Ensure that you give end users general reading permission for the SAP Enterprise Portal. For more information,
see SAP Note 939412 .
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively must change their passwords on a regular basis, but
not those users under which background processing jobs run.
User types that are required for Employee Self-Service include:
● Individual users:
○ Dialog users (Used for SAP GUI for Windows or RFC connections)
○ Internet users (Same policies apply as for dialog users, but used for Internet connections).
● Technical users:
○ Service users .
For more information on these user types, see User Types in the SAP NetWeaver AS ABAP Security Guide.
Note
For the Business Package for Employee Self-Service (up to and including 1.41), we recommend you set up the
connection between the SAP Enterprise Portal and the connected systems (ECC system, J2EE Engine, BW
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 559system) so that each individual user has access. This does not apply to the Business Package for Employee
Self-Service (WDA).
Standard Users
For Employee Self-Service, no standard users are delivered.
13.13.4.3.4.1.2 Integration into Single Sign-On Environments
Use
Employee Self-Service supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore,
the security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Security Guide also apply to Employee Self-Service.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-
On in the SAP NetWeaver Library.
Configuration of Web Services with Client Certificates
For ESS applications of the Business Package for Employee Self-Service, the use of client certificates should be
configured for authentication when users access the J2EE Engine using an end-to-end connection. To achieve
this, follow the instructions under Configuring the Use of Client Certificates for Authentication.
13.13.4.3.4.2 Authorizations
Use
Employee Self-Service uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP also apply to ESS.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see Role Administration.
Security Guide for SAP S/4HANA 1709
560 P U B L I C SAP S/4HANA Business ApplicationsRole and Authorization Concept for Employee Self-Service
Employee Self-Service embraces services from a variety of SAP applications and also uses the authorizations of
these individual components. Most of these services belong to HCM components, see Authorizations for Human
Resources.
Standard Roles
The tables below show the standard roles that are used for authorizations by the Business Package for Employee
Self-Service (up to and including 1.50) and by Employee Self-Service (WDA).
Table 349: Standard Roles for the Business Package for Employee Self-Service
Role Name Description
SAP_ESSUSER_ERP05 Single Role with all Non-Country-Spe Single role that comprises all non coun
cific Functions try-specific functions.
SAP_EMPLOYEE_ERP05_xx ESS ERP05: Country-Specific Functions Single role comprising country-specific
for functions. A separate role exists for each
country version (xx = country ID). The
corresponding composite role is
SAP_EMPLOYEE_ERP05.
SAP_ASR_EMPLOYEE HR Administrative Services: Employee Enhancement of the role
SAP_ESSUSER_ERP05 for the employees
that use the functions of the component
PA-AS (HR Administrative Services) in
the Business Package for Employee Self-
Service (up to and including 1.4.1).
Caution
For the Business Package for Employee Self-Service, you also need SAP Note 857431 for generating the
authorization profiles.
Table 350: Standard Roles for Employee Self-Service (WDA)
Role Name Description
SAP_EMPLOYEE_XX_ESS_WDA_2 ESS International Single Role Authorizations for all international serv
ices in Employee Self-Service (WDA).
For more information about this and all
other Employee Self-Service (WDA)
roles, see Single Roles for Employee Self-
Service (WDA).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 561Role Name Description
SAP_EMPLOYEE_AU_ESS_WDA_1 ESS Single Role for Australia Authorizations for country-specific serv
ices for Australia in Employee Self-Serv
ice (WDA).
SAP_EMPLOYEE_CA_ESS_WDA_2 ESS Single Role for Canada Authorizations for country-specific serv
ices for Canada in Employee Self-Service
(WDA).
SAP_EMPLOYEE_CH_ESS_WDA_1 ESS Single Role for Switzerland Authorizations for country-specific serv
ices for Switzerland in Employee Self-
Service (WDA).
SAP_EMPLOYEE_CN_ESS_WDA_1 ESS Single Role for China Authorizations for country-specific serv
ices for China in Employee Self-Service
(WDA).
SAP_EMPLOYEE_DE_ESS_WDA_1 ESS Single Role for Germany Authorizations for country-specific serv
ices for Germany in Employee Self-Serv
ice (WDA).
SAP_EMPLOYEE_HK_ESS_WDA_1 ESS Single Role for Hong Kong Authorizations for country-specific serv
ices for Hong Kong in Employee Self-
Service (WDA).
SAP_EMPLOYEE_IN_ESS_WDA_2 ESS Single Role for India Authorizations for country-specific serv
ices for India in Employee Self-Service
(WDA).
SAP_EMPLOYEE_JP_ESS_WDA_2 ESS Single Role for Japan Authorizations for country-specific serv
ices for Japan in Employee Self-Service
(WDA).
SAP_EMPLOYEE_MY_ESS_WDA_1 ESS Single Role for Malaysia Authorizations for country-specific serv
ices for Malaysia in Employee Self-Serv
ice (WDA).
SAP_EMPLOYEE_PT_ESS_WDA_1 ESS Single Role for Portugal Authorizations for country-specific serv
ices for Portugal in Employee Self-Serv
ice (WDA).
SAP_EMPLOYEE_SG_ESS_WDA_1 ESS Single Role for Singapore Authorizations for country-specific serv
ices for Singapore in Employee Self-
Service (WDA).
SAP_EMPLOYEE_TH_ESS_WDA_1 ESS Single Role for Thailand Authorizations for country-specific serv
ices for Thailand in Employee Self-Serv
ice (WDA).
Security Guide for SAP S/4HANA 1709
562 P U B L I C SAP S/4HANA Business ApplicationsRole Name Description
SAP_EMPLOYEE_US_ESS_WDA_1 ESS Single Role for the United States Authorizations for country-specific serv
ices for the USA in Employee Self-Serv
ice (WDA).
SAP_FI_TV_WEB_ESS_TRAVELER_2 ESS Single Role for the Traveler Authorizations for ESS services for the
traveler role in Employee Self-Service
(WDA).
SAP_ASR_EMPLOYEE_SR_HCM_CI_3 ESS Single Role for HCM P&F Services Authorizations for international ESS
services from the HR Process and Forms
application in Employee Self-Service
(WDA).
SAP_PM_EMPLOYEE_HCM_CI_1 ESS Single Role for HCM PM Services Authorizations for ESS services from the
Performance Management application in
Employee Self-Service (WDA).
SAP_TMC_EMPLOYEE_6 Employee in Talent Management Authorizations for ESS services from the
Talent Management and Talent
Development application in Employee
Self-Service (WDA). For more informa
tion, see Employee in Talent
Management.
SAP_RCF_ESS_SR_ERC_CI_4 E-Recruiting services for ESS (WDA) Authorizations in SAP E-Recruiting for
employees that use SAP E-Recruiting
services in ESS (WDA).
/SAPSRM/EMPLOYEE_ESS SAP SRM Employee for ESS Authorizations in SAP SRM for employ
ees that use services from Purchasing in
ESS (WDA).
Note
The composite role SAP_EMPLOYEE_ESS_WDA_2, which contains the single roles listed above (except for the
last two roles), is required for Employee Self-Service (WDA) in SAP NetWeaver Business Client for HTML. For
more information on all roles for ESS (WDA), see also Roles in Employee Self-Service (WDA).
Standard Authorization Objects
The following table presents the general authorization objects relevant for security that are used by the Business
Package for Employee Self-Service (up to and including 1.50).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 563Table 351: Standard Authorization Objects for Self-Service Applications
Authorization Object Field Value Description
S_RFC RFC_NAME Depends on service Saves data from RFC access
to Web Dynpro front end to
the back-end system.
Apart from these authorization objects, all Employee Self-Service deployment options use the authorization
objects from the following application areas or application components:
● Human Capital Management
See the S/4HANA Security Guide at Human Capital Management Authorizations .
● SAP E-Recruiting
See the S/4HANA Security Guide at Human Capital Management Talent Management SAP E-Recruiting
Authorizations .
● HCM Processes and Forms
See the S/4HANA Security Guide at Human Capital Management Personnel Administration (PA) HCM
Processes and Forms Authorizations .
● Travel Management
See the S/4HANA Security Guide at Accounting Financial Accounting Travel Management (FI-TV) .
13.13.4.3.4.3 Session Security Protection
Use
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Session Security Protection on the AS ABAP
The following section is relevant for Employee Self-Service (WDA):
To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookies
(SAP_SESSIONID__), activate secure session management. With an existing security session,
users can then start applications that require a user logon without logging on again. When a security session is
ended, the system also ends all applications that are linked to this security session.
Security Guide for SAP S/4HANA 1709
564 P U B L I C SAP S/4HANA Business ApplicationsUse the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your
AS ABAP system:
Table 352: Session Security Protection Profile Parameters
Profile Parameter Recommended Value Comment
icf/ 0 Client-Dependent
set_HTTPonly_flag_on_cookies
login/ticket_only_by_https 1 Not Client-Dependent
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP
Security Session Management on AS ABAP in the AS ABAP security documentation.
13.13.4.3.4.4 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for Employee Self-Service is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to Employee Self-Service. Details that specifically apply to Employee Self-Service are described in the
following sections:
● Communication Channel Security
This topic provides an overview of the communication channels used by Employee Self-Service, the protocol
used for the connection, and the type of data transferred.
● Network Security
This topic describes the recommended network topology for Employee Self-Service. It shows the appropriate
network segments for the various client and server components and where to use firewalls for access
protection. It also includes a list of the ports needed to operate Employee Self-Service.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 56513.13.4.3.4.4.1 Communication Channel Security
Use
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
SSL connections for Adobe Document Services
For ESS applications to perform security-related functions such as digitally signing PDF documents or launching
of PDF forms, you must set up an SSL connection to the Web service. To achieve this, follow the instructions
under Configuration of the Web Service SSL Connection in the Adobe Document Services Configuration Guide.
13.13.4.3.4.4.2 Network Security
Ports
The Employee Self-Service runs on SAP NetWeaver and uses the port from the AS ABAP (for Employee Self-
Service (WDA)).
For more information, see the topics for AS ABAP Ports in the corresponding SAP NetWeaver Security Guide.
For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document
TCP/IP Ports Used by SAP Applications, which is located on the SAP Service Marketplace at http://
service.sap.com/ under Products Database & technology Security Infrastructure Security .
13.13.4.3.4.4.3 Communication Destinations
Use
The tables below provide an overview of the communication destinations required for the three Employee Self-
Service deployment options.
Employee Self-Service (WDA) in SAP Business Client for HTML
For this deployment option, you have to maintain RFC connections using the transaction SM59, see also the
following table 1.
Security Guide for SAP S/4HANA 1709
566 P U B L I C SAP S/4HANA Business ApplicationsTable 353: Table 1: Connection Destinations for Employee Self-Service (WDA) in NWBC for HTML
Destination Delivered Type Recommended User Description
Authorizations
SAP_ECC_HumanResou No ABAP connection n/a System alias for the
rces ECC HCM system
SAP_ECC_HumanResou No HTTP connection n/a System alias for the
rces_HTTP ECC HCM system
SAP_SRM No ABAP connection n/a System alias for the
SRM system for Pur
chasing applications
SAP_SRM_HTTP No HTTP connection n/a System alias for the
SRM system for Pur
chasing applications
SAP_EREC_TalentMan No ABAP connection n/a System alias for the
agement SAP E-Recruiting sys
tem
SAP_EREC_TalentMan No HTTP connection n/a System alias for the
agement_HTTP SAP E-Recruiting sys
tem
Business Package for Employee Self-Service (WDA)
For the this deployment option, you have to maintain system aliases in the Portal System Landscape
Administration, see also the following table 2.
Table 354: Table 2: Connection Destinations for the Business Package for Employee Self-Service (WDA)
Destination Delivered Type Recommended User Description
Authorization
SAP_ECC_HumanResou Yes Entry in Portal System n/a System alias for the
rces Landscape Administra ECC HCM system
tion
SAP_SRM Yes Entry in Portal System n/a System alias for the
Landscape Administra SRM system for Pur
tion chasing applications
SAP_EREC_TalentMan Yes Entry in Portal System n/a System alias for the
agement Landscape Administra SAP E-Recruiting sys
tion tem
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 567More Information
For the Business Package for Employee Self-Service (WDA):
● Setting Up the System Landscape
For the Business Package for Employee Self-Service:
● Setting Up the System Landscape
13.13.4.3.4.5 Internet Communication Framework Security
Use
You should only activate those services that are needed for the applications running in your system. For Employee
Self-Service (WDA), the following services are needed which, unless stated otherwise, you can find in the path
default_host/sap/bc/webdynpro/sap/:
For general ESS applications:
● HRESS_A_MENU
● HRESS_A_PERSINFO
● hress_a_payslip
● HRESS_A_TCS
For applications from HCM Processes and Forms (PA-AS):
● asr_form_display
● ars_personnel_file
● asr_processes_display
● ASR_PROCESS_EXECUTE_FPM
For applications from Cross-Application Time Sheet (CA-TS) and Personal Time Management (PT):
● hress_a_cats_1
● hress_a_cats_print
● hress_a_corrections
● hress_a_lea_team_calendar
● hress_a_ptarq_leavreq_appl
● HRESS_A_PTARQ_TIMEACC
● HRESS_A_TIME_DATESEL
● hress_a_time_persel
For applications from Benefits (PA-BN):
● HRESS_A_BEN_PART_OVERVIEW
● HRESS_A_BENEFITS_ENROLLMENT
● HRESS_A_BEN_PRINT_ENRO_FORM
● HRESS_A_BEN_FSA_CLAIMS
Security Guide for SAP S/4HANA 1709
568 P U B L I C SAP S/4HANA Business Applications● HRESS_A_BEN_PRINT_ENRO_FORM
● HRESS_A_BEN_PRINT_CONF_FORM
For applications from Performance Management (PA-PD-PM):
● HAP_CONFIGURATION
● HAP_DOCUMENT_LINK
● HAP_MAIN_DOCUMENT
● HAP_QUALIFICATION_PROFILE
● HAP_START_PAGE_POWL_UI_ESS
● HAP_a_ESS_Startpage
For applications from Travel Management (FI-TV):
● FITE_EXPRESS_EXPENSES
● FITE_REQUEST_DELETE
● FITE_EXPENSES_DELETE
● FITP_PLAN_CANCEL
● FITV_UNLOCK_PERSNO
● FITV_TRIP_FORM
● FITV_ROUTING
● FITP_PROFILE
● FITE_REQUEST
● FITP_PLANNING FITE_EXPENSES
● FITV_POWL_TRIPS
And in the path default_host/sap/bc/bsp/sap/:
● fitv_bsp_pfcg
For applications from Self-Service Procurement (SRM-EBP-SHP) in the path /default_host/sap/bc/
webdynpro/sapsrm/:
● WDA_L_FPM_OIF
● WDA_L_FPM_OVP
● WDA_L_PRINT_PREVIEW
For applications from ERP E-Procurement (MM-PUR-SSP):
● /SRMERP/WDA_I_SC_ESS
● /SRMERP/WDA_I_SC_FS_ESS
● /SRMERP/WDA_I_WSCP
For applications from SAP E-Recruiting (PA-ER):
● All services with the prefix hrrcf in the path /default_host/sap/bc/webdynpro/sap/
● All services in the path /default_host/sap/bc/erecruiting/
● All services with the prefix hrrcf_wd in the path /default_host/sap/bc/bsp/sap/
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 569Note
You activate the services in Customizing for SAP E-Recruiting under Technical Settings User Interfaces
Candidate Front-End Candidate Specify E-Recruiting Services (Web Dynpro ABAP) .
For country-specific applications:
● HRESS_A_PAYINFO
● HRESS_A_REP_AU_PS
● Hress_a_rep_ca_tfr
● HRESS_A_REP_CH_PKB1
● HRESS_A_REP_CH_PKB4
● HRESS_A_REP_CN_CTXD
● HRESS_A_REP_HK_IR56B
● HRESS_A_REP_HK_IR56F
● HRESS_A_REP_HK_IR56G
● HRESS_A_REP_IN_FORM16
● HRESS_A_REP_JP_YEA_DEP
● HRESS_A_REP_JP_YEA_INS
● HRESS_A_REP_JP_YEA_WTS
● HRESS_A_REP_MY_EA
● HRESS_A_REP_MY_PCB2
● HRESS_A_REP_PT_IID
● HRESS_A_REP_SG_IR21
● HRESS_A_REP_SG_IR8A
● HRESS_A_REP_SG_IR8E
● HRESS_A_REP_SG_IR8S
● HR_EA_A_OVERVIEW_EE
● HR_EA_A_OVERVIEW_CU
● HR_EA_A_OVERVIEW_AP
● HR_EA_A_OVERVIEW_TO
● HRESS_A_REP_IN_SSITP
● HRESS_A_CLAIM_IN
● HRESS_A_ITDCL_IN
● HRESS_FWS_EMP_CALENDAR
● ASR_PROCESS_EXECUTE_FPM
Activities
Use the transaction SICF to activate these services.
If your firewalls use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
Security Guide for SAP S/4HANA 1709
570 P U B L I C SAP S/4HANA Business ApplicationsMore Information
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library documentation.
For more information about ICF security, see the RFC/ICF Security Guide.
13.13.4.3.4.6 Leave Request-Specific Virus Scan Profile
(ABAP)
Attackers can abuse a file upload to modify displayed application content or to obtain authentication information
from a legitimate user. Usually, virus scanners are not able to detect files designed for this kind of attack.
For this reason, the standard SAP Virus Scan Interface includes an enhancement option to protect the user
and/or the SAP system from potential attacks.
For more information about the behavior of the virus scanner when default virus scan profiles (VSP) are activated,
see SAP note 1693981 (Unauthorized modification of displayed content).
SAP Leave Request Application (HRESS_A_PTARQ_LEAVREQ_APPL) changes this behavior so that the file types
(EXE, RAR, DLL) are blocked.
When you have created and activated the application-specific virus scan profile (SIHTTP/HTTP_UPLOAD), this
profile produces the following impact: The MIME sniffing check is activated, and the MIME type APPLICATION/
OCTET-STREAMwill be blocked.
13.13.4.3.4.7 Security-Relevant Logging and Tracing
Employee Self-Service relies on the logging and tracing mechanisms from SAP NetWeaver.
For more information, see the following topics:
● For the AS ABAP (relevant for Employee Self-Service (WDA)):
Auditing and Logging
13.13.4.3.5 Manager Self-Service
About This Document
This chapter provides an overview of the security-relevant information that applies to Manager Self-Service (EP-
PCT-MGR).
The following deployment options are available for Manager Self-Service (MSS):
● Business Package for Manager Self-Service
This Business Package is a “classic” SAP Business Package that runs in the SAP Enterprise Portal. The Portal
role consists of worksets and iViews based on Web Dynpro ABAP technologies.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 571● Manager Self-Service in SAP Business Client
The role structure for this deployment option is maintained in the back-end system with the SAP role
maintenance transaction PFCG. All applications available with this role are based on Web Dynpro ABAP
technology.
Note
Some parts of the security information in this chapter only apply to one of the MSS deployment options. In this
case, you will find a comment explaining for which deployment option this information is valid right at the
beginning of each section. If not stated otherwise, the security information in this chapter applies to both MSS
deployment options.
See also:
● For more information about the roles in SAP Enterprise Portal, see SAP Library for S/4HANA on SAP Help
Portal at Cross-Application Functions in SAP ERP Roles Business Packages (Portal Content) .
● For more information about the roles in SAP Business Client, see SAP Library for S/4HANA on SAP Help
Portal Cross-Application Functions in SAP ERP Roles Roles in SAP NetWeaver Business Client .
● For more information about SAP Business Client, see SAP Library for SAP NetWeaver on SAP Help Portal at
http://help.sap.com/netweaver SAP NetWeaver by Key Capability Application Platform by Key
Capability ABAP Technology UI Technology SAP NetWeaver Business Client .
Overview of the Main Sections of This Chapter
This chapter comprises the following sections with security-related topics specific to Manager Self-Service:
● Before You Start
This section comprises references to other Security Guides that are relevant for Manager Self-Service and a
list of the most important notes for Manager Self-Service regarding security.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects for
Manager Self-Service:
○ User Management
This section contains information about the user types that are required by Manager Self-Service and
standard users for Manager Self-Service.
○ Integration into Single Sign-On Environments
This topic describes how the Employee Self-Service supports Single Sign-On mechanisms.
● Authorizations
This section provides an overview of the authorization concept that applies to Manager Self-Service.
● Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or
plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication Security
Security Guide for SAP S/4HANA 1709
572 P U B L I C SAP S/4HANA Business ApplicationsThis section provides an overview of the communication paths used by Manager Self-Service and the security
mechanisms that apply. It also includes our recommendations for the network topology to restrict access at
the network level:
○ Network Security
○ Communication Destinations
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
Manager Self-Service.
● Security-Relevant Logging and Tracing
This section provides an overview of the logging and tracing mechanisms that apply to Manager Self-Service.
13.13.4.3.5.1 User Administration and Authentication
User management for Manager Self-Service uses the mechanisms provided with the SAP NetWeaver Application
Server for ABAP.
The security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Application Server for ABAP apply for Manager Self-Service in SAP NetWeaver Business Client.
In addition to these guidelines, information about user administration and authentication that specifically applies
to Manager Self-Service is included in the following sections:
● User Management
● Integration into Single Sign-On Environments
13.13.4.3.5.1.1 User Management
Use
User management for Manager Self-Service uses the mechanisms provided with the SAP NetWeaver Application
Server for ABAP (for example, tools, user types, and password policies).
For an overview of how these mechanisms apply for Manager Self-Service, see the sections below.
User Administration Tools
The table below shows the tools to use for user management and user administration with Manager Self-Service.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 573Table 355: User Management Tools
Tool Detailed Description Comment
User maintenance for ABAP-based sys You use the user maintenance transac Used for both MSS deployment options
tems (transaction SU01) tion to generate users in the ABAP-
based systems.
Role maintenance (transaction PFCG) You use the role maintenance transac Used for both MSS deployment options
tion to generate profiles for your self-
service users.
For more information, see User and Role
Administration of AS ABAP.
Note
For the Business Package for Manager Self-Service, it is necessary to perform user mapping for the users in the
ABAP system and the Portal. For more information, see Assigning Portal Roles to Users.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively must change their passwords on a regular basis, but
not those users under which background processing jobs run.
The user types that are required for the Manager Self-Service are Individual users:
● Dialog users (Used for SAP GUI for Windows or RFC connections)
● Internet users (Same policies apply as for dialog users, but used for Internet connections).
For more information about these user types, see User Types in the SAP NetWeaver AS for ABAP Security Guide.
Recommendation
For the Business Package for Manager Self-Service, we recommend you set up the connection between the
SAP Enterprise Portal and the connected systems (ECC system, J2EE Engine, BI system) so that each
individual user has access. This does not apply to Manager Self-Service in SAP NWBC. .
Standard Users
For Manager Self-Service, no standard users are delivered.
Security Guide for SAP S/4HANA 1709
574 P U B L I C SAP S/4HANA Business Applications13.13.4.3.5.1.2 Integration into Single Sign-On Environments
Use
Manager Self-Service supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore,
the security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Security Guide also apply to Manager Self-Service.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-
On in the SAP NetWeaver Library and section Integration in Single Sign-On Environments in the S/4HANA Security
Guide.
Configuration of Web Services with Client Certificates
For MSS applications of the Business Package for Manager Self-Service, the use of client certificates should be
configured for authentication when users access the J2EE Engine using an end-to-end connection. To achieve
this, follow the instructions under Configuring the Use of Client Certificates for Authentication.
13.13.4.3.5.2 Authorizations
Use
Manager Self-Service uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP also apply to Manager Self-Service. The SAP NetWeaver authorization concept is based on assigning
authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the
AS ABAP.
Note
For more information about how to create roles, see Role Administration.
Role and Authorization Concept for Manager Self-Service
Manager Self-Service embraces services from a variety of SAP applications and also uses the authorizations of
these individual components. Many services belong to HCM components, see Authorizations for Human
Resources.
Recommendation
For Manager Self-Service, we highly recommend that you use the HCM-specific structural authorization check
in addition to the general SAP authorization check. For more information see SAP Library for S/4HANA on SAP
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 575Help Portal at Human Resources HR Tools Authorizations for Human Resources Structural
Authorization Check .
Standard Roles
The table below shows the standard roles that are used for authorizations by Manager Self-Service.
Table 356: Standard Roles for Manager Self-Service
Role Description
SAP_ASR_MANAGER Authorizations for the functions of the PA-AS component (HR
Administrative Services) for line managers in Manager Self-
Service.
SAP_TIME_MGR_XX_ESS_WDA_1 Authorizations for line managers in Manager Self-Service for
services used to approve leave requests and working times
from Employee Self-Service (WDA).
SAP_TMC_MANAGER Authorizations for managers relating to Talent Management
activities.
For more information, see Manager in Talent Management.
The structural authorization profile TMS_MAN_PROF is also
available as a template for the manager.
For more information, see Customizing for Talent
Management and Talent Development under Basic Settings →
Authorizations in Talent Management → Define Structural
Authorizations.
SAP_RCF_MANAGER Authorizations for the Manager role, which enables access to
SAP E-Recruiting from the Portal (Manager Self Service).
SAP_MANAGER_MSS_OTH_NWBC Authorizations for remote system applications including appli
cations from SAP E-Recruiting.
SAP_HR_LSO_HR-MANAGER Authorizations for the applications of the HR Manager Train
ing role of the SAP Learning Solution component.
SAP_HR_LSO_MANAGER Authorizations for the applications of the Manager role of the
SAP Learning Solution component.
SAP_FI_TV_WEB_APPROVER Authorizations for applications of the Travel Approver role of
the SAP Travel Management component.
SAP_HR_CPS_DET_PLAN_L_SR_NWBC Authorizations for applications of the manager role of the Per
sonnel Cost Planning component.
Security Guide for SAP S/4HANA 1709
576 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_SR_MSS_FIN_5 Authorizations for the Financials applications in Manager Self-
Service.
Caution
For the Business Package for Manager Self-Service, you also need SAP Note 844639 for generating the
authorization profiles.
Note
The composite role SAP_MANAGER_MSS_NWBC, which contains the single roles listed above , is required for
Manager Self-Service in SAP NetWeaver Business Client.
Standard Authorization Objects
The following section provides an overview of the security-relevant authorization objects that are used by
Manager Self-Service.
Table 357: Standard Authorization Objects for the Business Package for Manager Self-Service
Authorization Object Field Value Description
S_RFC RFC_NAME Depends on service Saves data from RFC access
to Web Dynpro front end to
the back-end system.
Table 358: Standard Authorization Objects for Controlling Services in MSS (Both Deployment Options)
Authorization Object Description
K_CCA General authorization object for Cost Center Accounting.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
K_ORDER General authorization object for internal orders.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
K_PCA Area responsible, Profit Center.
Is checked in the relevant Monitor iViews, Master Data iViews,
and Express Planning services.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 577Authorization Object Description
K_CSKS_PLA Cost element planning.
Is checked in the relevant Express Planning services.
K_FPB_EXP Authorization object for Express Planning.
This authorization object checks the Express Planning Frame
work call and the planning round call. The actual plan data is
protected by the authorization objects for the individual Ex
press Planning services.
Note
For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note
15211 .
Apart from these authorization objects, both Manager Self-Service deployment options use the authorization
objects from the following application areas or application components:
● Human Capital Management
See the S/4HANA Security Guide at Human Capital Management Authorizations .
● SAP E-Recruiting
See the S/4HANA Security Guide at Human Capital Management Talent Management SAP E-Recruiting
Authorizations .
● HCM Processes and Forms
See the S/4HANA Security Guide at Human Capital Management Personnel Administration (PA) HCM
Processes and Forms Authorizations .
● Travel Management
See the S/4HANA Security Guide at Accounting Financial Accounting Travel Management (FI-TV) .
Authorizations for Business Intelligence (BI) iViews (BP MSS)
For the BI iViews in the Business Package for Manager Self-Service, users need the standard BI authorizations for
executing queries. For more information, see Authorization Check When Executing a Query (in the Data
Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence).
In Human Capital Management, BI queries use a BI variable for personalization. Data is read from the DataStore
object for personalization 0PERS_VAR. If required, you can fill this DataStore Object from structural authorizations
(see Structural Authorizations - Values (0PA_DS02) and Structural Authorizations - Hierarchy (0PA_DS03)).
Security Guide for SAP S/4HANA 1709
578 P U B L I C SAP S/4HANA Business ApplicationsMore Information
For more information, see the SAP Help Portal BI Content documentation for Human Resources at http://
help.sap.com SAP NetWeaver SAP NetWeaver by Key Capability Information Integration by Key
Capability BI Content BI Content 705 Human Resources Organizational Management ODS Objects .
13.13.4.3.5.3 Session Security Protection
Use
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Session Security Protection on the AS ABAP
The following section is relevant for Manager Self-Service in SAP NetWeaver Business Client:
To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookies
(SAP_SESSIONID__), activate secure session management. With an existing security session,
users can then start applications that require a user logon without logging on again. When a security session is
ended, the system also ends all applications that are linked to this security session.
Use the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your
AS ABAP system:
Table 359: Session Security Protection Profile Parameters
Profile Parameter Recommended Value Comment
icf/ 0 Client-Dependent
set_HTTPonly_flag_on_cookies
login/ticket_only_by_https 1 Not Client-Dependent
For more information, including a list of the relevant profile parameters and detailed instructions, see Activating
HTTP Security Session Management on AS ABAP in the AS ABAP security documentation.
13.13.4.3.5.4 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 579topology can eliminate many security threats based on software flaws (at both the operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for Manager Self-Service is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to Manager Self-Service. Details that specifically apply to Manager Self-Service are described in the
following topics:
● Network Security
This topic describes the recommended network topology for Manager Self-Service. It shows the appropriate
network segments for the various client and server components and where to use fire walls for access
protection. It also includes a list of the ports needed to operate Manager Self-Service.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
13.13.4.3.5.4.1 Network Security
Ports
Manager Self-Service runs on SAP NetWeaver and uses the ports from the AS ABAP (for Manager Self-Service in
SAP NWBC).
For more information, see the topic for AS ABAP Ports in the corresponding SAP NetWeaver Security Guides.
For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document
TCP/IP Ports Used by SAP Applications, which is located on the SAP Service Marketplace at http://
service.sap.com/ under Products Database & technology Security Infrastructure Security .
13.13.4.3.5.4.2 Communication Destinations
The tables below provide an overview of the communication destinations required for the MSS deployment
options.
Security Guide for SAP S/4HANA 1709
580 P U B L I C SAP S/4HANA Business ApplicationsManager Self-Service in SAP Business Client
For this deployment option, you have to maintain RFC connections using the transaction SM59, see also the
following table 1.
Table 360: Table 1: Connection Destinations for Manager Self-Service in SAP Business Client
Destination Delivered Type Recommended User Description
Authorizations
SAP_ECC_HumanResou No ABAP connection n/a System alias for the
rces ECC HCM system
SAP_ECC_HumanResou No HTTP connection n/a System alias for the
rces_HTTP ECC HCM system
SAP_ECC_FINANCIALS No ABAP connection n/a System alias for the
ECC FI system for Fi
nancials applications
SAP_ECC_FINANCIALS No HTTP connection n/a System alias for the
_HTTP ECC FI system for Fi
nancials applications
SAP_EREC_TalentMan No ABAP connection n/a System alias for the
agement SAP E-Recruiting sys
tem
SAP_EREC_TalentMan No HTTP connection n/a System alias for the
agement_HTTP SAP E-Recruiting sys
tem
13.13.4.3.5.5 Internet Communication Framework Security
Use
You should only activate the services needed for the applications running in your system. For Manager Self-
Service in SAP Business Client, the following services are needed which you can find under the path
default_host/sap/bc/webdynpro/sap/:
For applications from the Suite Inbox (CA-EPT-IBO):
● IBO_WDA_INBOX
For applications from HCM Processes and Forms (PA-AS):
● asr_form_display
● asr_mass_start_process
● asr_pa_pd_processes_display
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 581● asr_processes_display
● ASR_PROCESS_EXECUTE_FPM
● asr_process_select
● asr_srch_pd_process
For applications from Cross-Application Time Sheet (CA-TS) and Personal Time Management (PT):
● HRMSS_A_CATS_APPROVAL
● HRESS_A_PTARQ_LEAVREQ_APPL
● HRESS_A_LEA_TEAM_CALENDAR
For applications from Talent Management and Talent Development (PA-TM):
● HRTMC_EMPLOYEE_PROFILE
● HRTMC_LONG_PROFILE
● hrtmc_side_by_side
● HRTMC_TA_ASSESSMENT
● HRTMC_TA_DASHBOARD
● HRTMC_TA_DEV_PLAN
● hrtmc_teamviewer
For applications from Performance Management (PA-PD-PM):
● HAP_MAIN_DOCUMENT
● HAP_START_PAGE_POWL_UI_MSS
● HAP_A_PMP_PIE_CHART
● HAP_A_PMP_GOALS
● HAP_A_PMP_OVERVIEW
● HAP_A_PMP_MAIN
For applications from Enterprise Compensation Management (PA-ECM):
● HCM_ECM_PLANNING_OVERVIEW_OIF
● HCM_ECM_PLANNING_UI_GAF
● HCM_ECM_PROFILE_OIF
● HCM_ECM_SIDEBYSIDE_OIF
● HCM_ECM_TEAMVIEWER_OIF
For applications from Personnel Cost Planning (PA-CP):
● WDA_HCP_DET_PLAN
For applications from SAP Learning Solution (PE-LSO):
● LSO_MANAGE_PARTICIPANTS
● LSO_MANAGE_MANDATORY_ASSIGN
For applications from SAP E-Recruiting (PA-ER):
● default_host/sap/bc/erecruiting/dataoverview
● hrrcf_a_dataoverview
● hrrcf_a_requi_monitor
● hrrcf_a_req_assess
Security Guide for SAP S/4HANA 1709
582 P U B L I C SAP S/4HANA Business Applications● hrrcf_a_tp_assess
● hrrcf_a_qa_mss
● hrrcf_a_substitution_manager
● hrrcf_a_substitution_admin
Note
You activate the services in Customizing for SAP E-Recruiting at Technical Settings User Interfaces
Manager Involvement Specify E-Recruiting Services for MSS .
For applications from Travel Management (FI-TV):
● FITV_POWL_APPROVER
● FITV_TRIP_FORM
● FITV_POWL_PERSONALIZATION
For applications from the Financials (FI) application area:
● QISR_UI_STATUSOVERVIEW
● QISR_UI_STATUSOVERVIEW
● QISR_UI_STATUSOVERVIEW
● FPB_EXP_OVERVIEW
● FCOM_PBC_MONITOR
● FCOM_PBC_MONITOR
● FPB_VARIANCE_MONITOR_OVERVIEW
● FCOM_EQM_MONITOR
● FPB_LINEITEM_MONITOR_OVERVIEW
● FPB_VARIANCE_MONITOR_OVERVIEW
● FPB_LINEITEM_MONITOR_OVERVIEW
● FCOM_EQM_MONITOR
● FCOM_PBC_MONITOR
● FCOM_PBC_MONITOR
● FPB_LINEITEM_MONITOR_OVERVIEW
● FPB_VARIANCE_MONITOR_OVERVIEW
Activities
Use the transaction SICF to activate these services.
If your firewalls use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 583More Information
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library documentation.
For more information about ICF security, see the RFC/ICF Security Guide .
13.13.4.3.5.6 Security-Relevant Logging and Tracing
Manager Self-Service relies on the logging and tracing mechanisms from SAP NetWeaver.
For more information, see the following topics:
● For the AS ABAP (relevant for Manager Self-Service in SAP NetWeaver Business Client):
○ Auditing and Logging
○ Tracing and Logging (for NWBC)
13.13.5 Talent Management
13.13.5.1 SAP E-Recruiting
13.13.5.1.1 Security Aspects of Data Flow and Processes
The following section provides an overview of the data flows in the security-relevant scenarios for SAP E-
Recruiting.
13.13.5.1.1.1 Data Entry by External Candidate in Distributed
System
The figure below provides an overview of the data flow for the following scenario: Data entry by the external
candidate in the distributed system.
Security Guide for SAP S/4HANA 1709
584 P U B L I C SAP S/4HANA Business ApplicationsThe table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 361:
Step Description Security Action
1 External candidate transfers profile data External candidate has to confirm the
and application data data privacy statement.
2 Data transfer Access authorization using RFC user
3 Save data to database Not relevant
4 External candidate uploads attachments Not relevant
5 Virus check (WD ABAP) Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
6 Data transfer Not relevant
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 585Step Description Security Action
7 Virus check (BAdI) Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
8 Save data to database Not relevant
13.13.5.1.1.2 Data Entry in Nondistributed System
The figure below provides an overview of the data flow for the following scenario: Data entry in the nondistributed
system.
The data flow is relevant within the framework of the following scenarios:
● The internal or external candidate maintains his or her profile and application.
● The recruiter maintains a candidate''s profile.
● The recruiter or data entry clerk enters an application in the system.
Security Guide for SAP S/4HANA 1709
586 P U B L I C SAP S/4HANA Business ApplicationsThe table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 362:
Step Description Security Action
1 Transfer of data External candidate has to confirm the
data privacy statement.
2 Save data to database Not relevant
3 Transfer of attachments Not relevant
4 Virus check (WD ABAP) Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
5 Virus check (BAdI) Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
6 Save data to database Not relevant
13.13.5.1.1.3 Integration of Org. Mgmt/E-Recruiting in
Distributed System
The figure below provides an overview of the data flow for the scenario: Integration of Organizational Management
in SAP E-Recruiting in a distributed system.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 587The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 363:
Step Description Security Action
1 The recruiter requests data overviews Not relevant
for organizational units, positions, or
jobs.
2 The SAP NetWeaver Application Server Access authorization using RFC user
requests the Organizational Manage
ment data using RFC in the connected
HR system.
3 The HR system transfers the data using XML encryption
XML to the SAP NetWeaver Application
Server.
Security Guide for SAP S/4HANA 1709
588 P U B L I C SAP S/4HANA Business Applications13.13.5.1.1.4 Integration of Org. Mgmt/E-Recruiting in
Integrated System
The figure below provides an overview of the data flow for the scenario: Integration of Organizational Management
in SAP E-Recruiting in an integrated system.
The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 364:
Step Description Security Action
1 The recruiter requests data overviews Not relevant
for organizational units, positions, or
jobs.
2 The SAP NetWeaver Application Server Not relevant
requests the Organizational Manage
ment data in the integrated HR system.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 589Step Description Security Action
3 The integrated HR system transfers the XML encryption
data using XML to the SAP NetWeaver
Application Server.
13.13.5.1.1.5 Recommendation of Job Posting (Tell a Friend)
The figure below provides an overview of the data flow for the following scenario: The candidate uses the Tell A
Friend function to inform another person about an employment opportunity.
The process runs as described below if you enter the value MAILTO or MAILTO_REGONLY for the parameter
TF_SEND_METHODin Customizing for SAP E-Recruiting under Technical Settings → User Interfaces → Candidate
→ Backend Candidate → Assign Values to Interface Parameters (Web Dynpro ABAP) .
We recommend that you do not use the default delivery TF_SEND_METHOD = '' '' as this means that the e-mails
with the recommendation letter are sent using your e-mail server. As the candidate is responsible for specifying
the recipient and content of the e-mail message to be sent, undesirable content could be sent from the sender
address of your e-mail server.
For more information, see the documentation for the Customizing activity Assign Values to Interface Parameters
(Web Dynpro ABAP) and SAP Note 1390162 .
Security Guide for SAP S/4HANA 1709
590 P U B L I C SAP S/4HANA Business ApplicationsThe table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 365:
Step Name Security Action
1 Trigger Tell a Friend function Not relevant
2 Open local e-mail client The e-mail client (for example, Microsoft
Outlook) is opened locally on the candi
date''s computer. This client (and not the
central e-mail client) then sends the e-
mail. You activate this process using the
parameter TF_SEND_METHODin the
Customizing activity Assign Values to
Interface Parameters (Web Dynpro
ABAP) .
3 Send e-mail Not relevant
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 59113.13.5.1.1.6 Resume Parsing (Candidate, Integrated System)
The figure below provides an overview of the data flow for the following scenario:
The candidate uploads his or her resume as an attachment and then sends it to a third-party vendor for parsing.
The front end and backend for the candidate''s user run on the same system.
Security Guide for SAP S/4HANA 1709
592 P U B L I C SAP S/4HANA Business ApplicationsSecurity Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 593The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 366:
Step Name Security Action
1 Upload resume as attachment Not relevant
2 Virus check WD ABAP Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
3 Virus check BAdI Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
4 Save contents Not relevant
5 Trigger Resume Parsing Not relevant
6 Transfer attachment with resume Not relevant
7 Parse resume For XI-relevant security topics, see
http:service.sap.com/securityguide →
SAP Process Integration (PI) Security
Guides .
8 Transfer HRXML data HRXML coding
9 Save structured data to database Not relevant
10 Trigger profile upload Not relevant
11 Save structured data in profile Not relevant
12 Virus check BAdI Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
13 Save formatted resume as attachment Not relevant
14 Save contents Not relevant
13.13.5.1.1.7 Resume Parsing (Candidate, Distributed Scenario)
The figure below provides an overview of the data flow for the following scenario: The candidate uploads his or her
resume as an attachment and then sends it to a third-party vendor for parsing. The front end and backend for the
candidate''s user run on different systems.
Security Guide for SAP S/4HANA 1709
594 P U B L I C SAP S/4HANA Business ApplicationsSecurity Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 595The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 367:
Step Name Security Action
1 Upload resume as attachment Not relevant
2 Virus check WD ABAP Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
3 Virus check BAdI Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
4 Save contents Not relevant
5 Trigger Resume Parsing Not relevant
6 Transfer attachment with resume Not relevant
7 Parse resume For XI-relevant security topics, see
http:service.sap.com/securityguide →
SAP Process Integration (PI) Security
Guides .
8 Transfer HRXML data HRXML coding
9 Save structured data to database Not relevant
10 Trigger profile upload Not relevant
11 Save structured data in profile Not relevant
12 Virus check BAdI Additional virus check using the BAdI
HRRCF00_DOC_UPLOAD (backend
server) (see Customizing activity BAdI:
Upload Documents)
13 Save formatted resume as attachment Not relevant
14 Save contents Not relevant
Security Guide for SAP S/4HANA 1709
596 P U B L I C SAP S/4HANA Business Applications13.13.5.1.1.8 Resume Parsing (Recruiter)
The figure below provides an overview of the data flow for the following scenario:
The recruiter uploads a candidate’s resume as an attachment and then sends it to a third-party vendor for
parsing. The data is then transferred to the corresponding fields of the form for the Entry of External Applications
application.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 597Security Guide for SAP S/4HANA 1709
598 P U B L I C SAP S/4HANA Business ApplicationsThe table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 368:
Step Name Security Action
1 Upload resume as attachment Not relevant
2 Virus check WD ABAP Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
3 Trigger Resume Parsing Not relevant
4 Transfer resume as attachment Not relevant
5 Parse resume For XI-relevant security topics, see
http:service.sap.com/securityguide →
SAP Process Integration (PI) Security
Guides .
6 Transfer HRXML data HRXML coding
7 Save structured data to buffer Not relevant
8 Trigger profile upload Not relevant
9 Save structured data in profile Not relevant
10 Save attachment “Resume” Not relevant
11 Virus check WD ABAP Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
12 Save contents Not relevant
13 Save attachment “Formatted resume” Not relevant
14 Virus check WD ABAP Standard virus check provided by SAP
NetWeaver Application Server (front-
end server)
15 Save contents Not relevant
13.13.5.1.1.9 Background Check
The figure below provides an overview of the data flow for the following scenario: The recruiter forwards data
regarding a candidate’s education, work experience, or qualifications to an external provider, who then checks
that this data is correct.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 599The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 369:
Step Name Security Measure
1 Initialize background check Not Relevant
2 Summarize profile data Not Relevant
3 Transfer profile data Not Relevant
4 Request background check For XI-relevant security topics, see: SAP
Process Integration Security Guide
5 Return order ID Not Relevant
6 Initialize request for processing status Not Relevant
7 Transfer request Not Relevant
Security Guide for SAP S/4HANA 1709
600 P U B L I C SAP S/4HANA Business ApplicationsStep Name Security Measure
8 Request processing status For XI-relevant security topics, see: SAP
Process Integration Security Guide
9 Return processing status Not Relevant
10 Initialize request for access URL Not Relevant
11 Transfer request Not Relevant
12 Request URL For XI-relevant security topics, see: SAP
Process Integration Security Guide
13 Access to URL that the third-party ven Not Relevant
dor uses to display the report for the
background check
13.13.5.1.1.10 Registration Process with E-Mail Verification
The figures below provide an overview of a candidate’s registration process with e-mail verification. This is
relevant for persons who want to register their details in the Talent Warehouse or for persons who want to submit
an application for an employment opportunity and who have to register their details first in order to do so. The
process description is divided into two parts in the figures below. The first figure shows the process up to the
point in time when the system sends a confirmation mail for the e-mail address. The second figure shows the
process from the moment that the candidate finds this e-mail in his or her e-mail inbox.
For more information about the registration process, see section Registration with E-Mail Verification in the SAP
Library for S/4HANA under Human Resources Talent Management SAP E-Recruiting (PA-ER) Candidate
Storage of Data in Talent Warehouse Registration . For more information about the application process with
registration at the same time, see section Online Application of Unregistered Candidate in the SAP Library for S/
4HANA under Human Resources Talent Management SAP E-Recruiting (PA-ER) Candidate .
Note
This process is relevant if the switch RECFA VERIF is set in the Customizing activity Set System Parameters .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 601The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 370:
Step Description Security Action
Optional step The unregistered candidate finds a suita For the unregistered candidate, the sys
ble job posting and submits an applica tem uses the service user that is as
tion for this posting. In this case, the signed to the corresponding ICF service
candidate has to register his or her de in the Customizing activity Specify E-
tails before the application can be sub Recruiting Services (WebDynpro ABAP) .
mitted. (Continue with step 1)
1 The unregistered candidate calls the For the unregistered candidate, the sys
screen page for the registration and en tem uses the service user that is as
ters the data required for the registra signed to the corresponding ICF service
tion in the Talent Warehouse. in the Customizing activity Specify E-
Recruiting Services (WebDynpro ABAP) .
2 The unregistered candidate performs
the registration.
Security Guide for SAP S/4HANA 1709
602 P U B L I C SAP S/4HANA Business ApplicationsStep Description Security Action
3 The system checks the information for
completeness and correctness and, if
applicable, asks the unregistered candi
date to correct the information.
4 The system creates an unverified candi In the Candidate Overview infotype
date. (5102) in the Status of E-Mail Verification
field, the system enters the value 1
( Outstanding ). At the same time, the
system creates a user for the candidate.
5a The system informs the candidate that
the registration process was triggered
and that he or she will receive a confir
mation mail.
5b At the same time, the system sends a If the user does not subsequently con
confirmation mail via the mail server to firm his or her e-mail address, the user
the e-mail address stored by the candi cannot access the Talent Warehouse.
date. This contains a link that the candi
In the Customizing activity Determine
date must use to confirm his or her e-
Rules for Periodic Services , you can
mail address and so complete the regis
specify for how long the link for confirm
tration.
ing the e-mail address is to be valid.
Optional step If the candidate has registered his or her
details as part of submitting an applica
tion, the system now displays the appli
cation wizard. The candidate can com
plete the application but cannot send it
until he or she has confirmed the e-mail
address and completed the registration
process.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 603The table below lists the security aspect that has to be taken into account for the process step and the security
action that is taken.
Table 371:
Step Description Security Action
1 The unverified candidate finds the con In the Customizing activity Determine
firmation mail in his or her e-mail inbox, Rules for Periodic Services , you can
opens the mail, and clicks the link to specify the following (in addition to the
confirm the e-mail address. validity period of the link for the confir
mation):
● Period after which a reminder mail
is sent to the unverified candidate
● Maximum number of possible re
quests for a new confirmation mail
● Option whether candidates can re
quest a new confirmation mail even
though the validity period of the last
confirmation mail sent was ex
ceeded
Security Guide for SAP S/4HANA 1709
604 P U B L I C SAP S/4HANA Business ApplicationsStep Description Security Action
2 The system converts the unverified can In the Candidate Overview infotype
didate into a confirmed candidate. (5102) in the Status of E-Mail Verification
field, the system enters the value 0
( Confirmed ).
3 The candidate is informed about the For security reasons, the confirmation
successful registration. At the same does not contain the password that the
time, the candidate receives a link that user needs to log on to the Talent Ware
he or she can use to log on to the Talent house and which he or she entered on
Warehouse. the registration screen.
Optional step If the candidate registered his or her de To do this, the candidate has to log on to
tails while submitting an application and the Talent Warehouse with his or her
has already created one or more applica user alias and password.
tions, the system displays a link that the
candidate can then use to display a list
of the applications.
Optional step The system displays a list of applications The candidate can now submit applica
that have not yet been sent. The candi tions because his or her e-mail address
date submits an application. has now been confirmed.
Optional step The system set the status of the applica Recruiters can now view the application
tion and the candidacy to In Process . and the candidate profile.
13.13.5.1.1.11 Deregistration and Deletion of External
Candidates
Definition
In SAP E-Recruiting, there is a two-step process to delete a candidate. The first step is deregistering the external
candidate. The second step is deleting the candidate data from the Talent Warehouse.
This document describes how the system handles the candidate’s data in the different scenarios.
Note
If you delete the external candidates via the HRRCF_CAND archiving object and the functions of the SAP
Information Lifecycle Management (ILM) at the same time with the processes described here, data
inconsistencies may occur. For more information, see Destroying Candidate Data Using HRRCF_CAND.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 605Candidates delete their registration themselves
For information about the service, see Deleting the Registration.
If the candidate requests the deletion of his or her own registration, the system performs the following steps:
● The Registration of Candidate Deleted indicator is set in infotype 5102 (Candidate Overview).
● The candidate’s user is locked.
● The workflow ERCCandDerig is triggered. The workflow runs automatically in the background. For information
about which data of the candidate is processed by the workflow, see the documentation for the Workflow for
Deleting a Candidate’s Registration.
The remaining data for the candidate is retained in the database.
Administrator deletes the registration of external candidates
For information about the service, see Deleting Registration of External Candidates.
If the administrator deletes the registration of an external candidate, the system performs the following steps:
● The Registration of Candidate Deleted indicator is set in infotype 5102 (Candidate Overview).
● The workflow ERCCandDerig is triggered. The workflow runs automatically in the background. For information
about which data of the candidate is processed by the workflow, see the documentation for the Workflow for
Deleting a Candidate’s Registration.
The remaining data for the candidate is retained in the database.
Administrator deletes the external candidates
Even after an external candidate is deregistered, the candidate’s data still exists in the system. To delete the
candidate completely from the system, the administrator has to delete the external candidate.
For information about the service, see Deleting External Candidates.
Note
The administrator can only delete candidates for whom there are no applications or assignments with the
status In Process or To Be Hired.
When deleting data, the system also takes into account the legal time limits for retaining data (see the end of
this document).
When the candidates are deleted, the associated business partners are not deleted, but are archived. You can
delete business partners later using the transaction BUPA_ DEL.
If the prerequisites for the deletion are met, the system executes the following steps:
● Deletion of the candidate’s applications and any related objects:
○ HR object Application
Security Guide for SAP S/4HANA 1709
606 P U B L I C SAP S/4HANA Business Applications○ Audit Trails
○ Documents for the application in Knowledge Provider (KPro)
○ Activities
● Deletion of the candidate’s candidacies and any related objects:
○ HR object Candidacy
○ Documents for the candidacy in Knowledge Provider (KPro)
○ Activities
● Deletion of the job agents created by the candidate
● Deletion of the candidate and any related objects:
○ HR object Candidate
○ The candidate’s user in the backend system; in the distributed system, also the candidate’s user in the
front-end system
○ Documents for the candidate in Knowledge Provider (KPro)
○ Activities
Delete External Candidates (report)
Another option for deleting external candidates is to use the RCF _DELETE_EXT_ CAND report.
You call this report in Customizing for SAP E-Recruiting under Tools → Delete External Candidates. For more
information, see the documentation for the Customizing activity.
We recommend you use this report instead of using the Delete External Candidates service as the report enables
you to use multiple selection criteria. In this way, the user can specifically select deregistered candidates, for
example.
The report is otherwise identical to the Delete External Candidates service.
Retention periods for candidate-based data
You enter the retention periods that the report has to take into account in Customizing for SAP E-Recruiting under
Store Legal Periods. For more information, see the documentation of the Customizing activity.
13.13.5.1.1.12 Sending E-Mails Using the Workflow
SAP E-Recruiting uses workflows that send various documents by e-mail.
The table below shows the workflows and lists the e-mails that are sent using the relevant workflows.
Table 372: E-Mails Using Workflows
Workflow Template Description E-Mail Recipient E-Mail Content How E-Mail Is Sent
WS51800042 ERCAdjEntry - - -
WS51900003 ERCSendPwd Candidate Send password Method
WS51900005 ERCStatusChg Candidate Confirmation of receipt Method
of application
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 607Workflow Template Description E-Mail Recipient E-Mail Content How E-Mail Is Sent
Candidate Correspondence: Re Method
jection
Recruiter Notification that appli WF E-Mail
cation is withdrawn
WS51900006 ERCCandDerig Candidate Confirmation that can Method
didate has been dereg
istered
WS51900007 ERCApprReqWD Approver Notification to the ap WF E-Mail
prover
Requester Notification of the deci WF E-Mail
sion
WS51900008 ERCObjCreate Candidate Acknowledge Candi Method
date
Candidate Verification mail Method
WS51900009 ERCActCreate - - -
WS51900010 ERCStatChg_2 Candidate Confirmation of receipt Method
of application
Candidate Correspondence: Re Method
jection
Recruiter Notification that appli WF E-Mail
cation is withdrawn
WS51900011 ERCActCrea_2 - - -
WS51900018 ERCSendVerif Candidate Confirmation mail Method
13.13.5.1.2 User Administration and Authentication
SAP E-Recruiting uses the user management and authentication mechanisms provided with the SAP NetWeaver
platform, in particular the SAP NetWeaver Application Server for ABAP. Therefore, the security recommendations
and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server
for ABAP also apply to SAP E-Recruiting.
In addition to these guidelines, we include information about user administration and authentication that
specifically applies to SAP E-Recruiting in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with SAP E-Recruiting.
Security Guide for SAP S/4HANA 1709
608 P U B L I C SAP S/4HANA Business Applications● Integration into Single-Sign-On Environments
This topic describes how SAP E-Recruiting supports Single Sign-On mechanisms.
13.13.5.1.2.1 User Management
Definition
User management for SAPE-Recruiting uses the mechanisms provided by SAP Web Application Server ABAP
such as tools, user types, and password policies. For an overview of how these mechanisms apply for SAPE-
Recruiting, see the sections below.
User Administration Tools
The following table shows the tools to use for user management and user administration for SAPE-Recruiting .
Table 373: User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction You can use the Role Maintenance trans
PFCG) action PFCG to generate profiles for the
SAPE-Recruiting users.
Technical Settings for User Management For more information on user profiles
in SAPE-Recruiting and the roles, see Customizing for SAP
E-Recruiting under Technical Settings
User Administration.
Workflow Settings For more information, see the Customiz You use the SAP Workflow.
ing for SAPE-Recruiting under
Technical Settings Workflow
Workflow in E-Recruiting .
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not users who run background processing jobs.
Note
For more information, see the Customizing for SAPE-Recruiting under Technical Settings User
Administration Create Special Users .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 609The user types required for SAPE-Recruiting are:
● Reference user
You can create reference users to simplify authorization maintenance. You assign different roles to each
reference user. If you then assign a reference user to a user, the user inherits all of the reference user’s role
attributes and authorization profile.
● Service user
Some scenarios are accessible for registered users only; other scenarios are also accessible for unregistered
users (registration, job postings, direct application). You must assign a service user to these services so that
an unregistered user can use them.
● Background User for Workflow
To be able to use the workflow functions, you must create a system user (such as WF-BATCH) in the standard
system.
For more information, see the Customizing for SAP E-Recruiting under Technical Settings Workflow
Workflow in E-Recruiting .
In SAP E-Recruiting, you must assign a candidate to this user. To do this, you can use the report
RCF_CREATE_USER, irrespective of whether you run SAP E-Recruiting and the HR system on the same
instance or on different instances.
For more information, see Background User for Workflow under Talent Management SAP E-Recruiting
Authorizations in the S/4HANA Security Guide for Human Resources.
Standard Users
We do not deliver standard users within SAP E-Recruiting.
13.13.5.1.2.2 Integration into Single Sign-On Environments
The most widely-used supported mechanisms are listed below. For a complete list, see the link provided below.
● Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for
Windows or Remote Function Calls.
● SAP logon tickets
SAP E-Recruiting supports the use of logon tickets for SSO when using a Web browser as the frontend client.
In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP
system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication
token. The user does not need to enter a user ID or password for authentication but can access the system
directly after the system has checked the logon ticket.
● Client certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a
frontend client can also provide X.509 client certificates to use for authentication. In this case, user
authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and
no passwords have to be transferred. User authorizations are valid in accordance with the authorization
concept in the SAP system.
● Security Assertion Markup Language (SAML) 2.0
Security Guide for SAP S/4HANA 1709
610 P U B L I C SAP S/4HANA Business ApplicationsSAML 2.0 provides a standards-based mechanism for SSO. The primary reason to use SAML 2.0 is to enable
SSO across domains.
SAP E-Recruiting supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the
security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Security Guide also apply to SAP E-Recruiting.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-On
in the SAP NetWeaver Library.
13.13.5.1.3 Authorizations
SAP E-Recruiting uses the authorization concept provided by SAP NetWeaver AS for ABAP. Therefore, the
recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
also apply to SAP E-Recruiting .
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on theSAP Web AS ABAP .
Note
For more information about how to create roles, see section Role Administration under Identity Management in
the SAP Library for S/4HANA.
The following section shows the standard roles and the relevant authorization objects that SAP E-Recruiting uses.
These are:
● Background User for Workflow
● Recruiter, Administrator, and Data Entry Clerk
● Manager
● Candidate
Authorization Object S_ICF
We strongly recommend that you use the authorization object S_ICF to safeguard the Web Dynpro applications in
SAP E-Recruiting. For the relevant applications, see the ICF service tree (transaction SICF ) under /
default_host/sap/bc/webdynpro/sap . The names of the applications in SAP E-Recruiting start with ERC for the
recruiter and the administrator, and with HRRCF for the candidate.
You can safeguard each application by entering a character string for it in the SAP Authorization field under
Service Data and using this character string in the field ICF_VALUE of the authorization object S_ICF in the
corresponding user roles. For more information, see the documentation for Authorization Object S_ICF.
For information about services relevant for SAP E-Recruiting in the ICF service tree, see Internet Communication
Framework Security of SAP E-Recruiting .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 61113.13.5.1.3.1 Background User for Workflow
Standard Roles
The table below shows the standard role that SAP E-Recruiting uses for the background user. SAP E-Recruiting
requires this background user for the execution of the workflow. The background user is usually the WF-BATCH
user.
Table 374: Standard Role for the Workflow
Role Description
SAP_RCF_INT_CANDIDATE_SERVER Internal Candidate (Server) under Roles (User Profiles)
This role provides the necessary authorizations for an internal
candidate in SAP E-Recruiting that are required on the back
end system when using a separated system (front-end and
backend on different systems).
You have to create a corresponding candidate for the background user of the workflow. You use the
RCF_CREATE_USER report to do this. For more information, see the Customizing for SAP E-Recruiting under
Technical Settings → Workflow → Workflow in E-Recruiting .
For the background user to be used in SAP E-Recruiting, the background user requires the authorization to make
status changes to the SAP E-Recruiting objects (authorization object P_RCF_STAT) in addition to all of the
authorizations usually assigned to an internal candidate.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP E-Recruiting .
For more information, see section Authorizations for SAP E-Recruiting under Roles (User Profiles) .
Table 375: Standard Authorization Objects
Authorization Object Field Value Description
P_RCF_APPL RCF_APPL SAP E-Recruiting applications Authorization object that
specifies within SAP E-Re
cruiting which SAP E-Recruit
ing applications a user can
call.
The authorization object is
used for the (internal and ex
ternal) candidates'' applica
tions.
Security Guide for SAP S/4HANA 1709
612 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
R_RCF_VIEW RCF_VIEW SAP E-Recruiting data over Authorization object that
views specifies within SAP E-Re
cruiting which data overviews
a user can access.
P_RCF_POOL RCF_POOL The following ways to access Authorization object that
the candidate pool directly specifies within SAP E-Re
are available: cruiting which type of direct
● Status-Independent Ac access a user can have to the
cess to Candidates (DI candidates in the Talent Pool.
RECT_ACC)
● Recognition of Multiple
Applicants
(DUPL_CHECK)
● Maintenance of Candi
date Data
(CAND_MAINT)
P_RCF_STAT OTYPE SAP E-Recruiting objects and Authorization object that
permitted object status specifies within SAP E-Re
RCF_STAT
cruiting the authorization for
status changes to SAP E-Re
cruiting objects (for example,
candidate, application, candi
dacy).
P_RCF_ACT ACTVT ● Activities, processes, and Authorization object that
the following accesses to specifies within SAP E-Re
the activities: cruiting which type of access
● Add or Create a user can have to activities.
● Change An activity in SAP E-Recruit
● Delete ing is therefore identified
through the assigned process
and through the activity type.
13.13.5.1.3.2 Recruiter, Administrator, and Data Entry Clerk
Standard Roles
The following table shows the standard roles that are used by SAP E-Recruiting for recruiters, administrators, and
data entry clerks .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 613Table 376: Standard Roles for Recruiters, Administrators, and Data Entry Clerks
Role Description
SAP _ RCF _REC_ADMIN_ERC_CI_2 Recruiting Administrator (Obsolete)
Administrator for SAP E-Recruiting
Note
This role is obsolete and has been replaced with the role
SAP _ERC_REC_ADMIN_CI_4.
SAP _ RCF _REC_ADMIN_ERC_CI_4 Recruiting Administrator (NWBC) (Obsolete)
You need this role if you want to use the Recruiting Adminis
trator based on SAP Business Client for HTML. The role is a
composite role consisting of the single roles SAP _ RCF
_REC_ADMIN_SR_ERC_CI_4 and SAP _ RCF _REC_AD
MIN_ERC_CI_2.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_REC_ADMIN_CI_4.
SAP _ RCF _REC_ADMIN_SR_ERC_CI_4 Recruiting Administrator (NWBC) (Obsolete)
This role contains the recruiting administrator’s menu for dis
play based on SAP Business Client for HTML.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_REC_ADMIN_CI_4.
SAP _ERC_REC_ADMIN_CI_4 Recruiting Administrator
SAP _ RCF _ DATA _TYPIST_ERC_CI_2 Data Entry Clerk (Obsolete)
The role contains the authorization for minimum data entry
for incoming paper applications.
Note
This role is obsolete and has been replaced with the role
SAP _ RCF _ DATA _TYPIST_ERC_CI_4.
SAP _ RCF _ DATA _TYPIST_ERC_CI_4 Data Entry Clerk
Security Guide for SAP S/4HANA 1709
614 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP _ RCF _RECRUITER_ERC_CI_2 Recruiter (Obsolete)
The role has access to the following data:
● Candidate data: The data is displayed for all candidates
who stored their data in the Talent Pool.
● All publications
● All requisition data
● All application data
● All data for the selection processes
The role also contains the authorization for minimum data en
try for incoming paper applications.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_RECRUITER_CI_4.
SAP _ RCF _RECRUITER_ERC_CI_4 Recruiter (NWBC) (Obsolete)
You need this role if you want to use the Recruiter based on
SAP Business Client for HTML. The role is a composite role
consisting of the single roles SAP _ RCF _RE
CRUITER_SR_ERC_CI_4 and SAP _ RCF _RE
CRUITER_ERC_CI_2.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_RECRUITER_CI_4.
SAP _ RCF _RECRUITER_SR_ERC_CI_4 Recruiter (NWBC) (Obsolete)
This role contains the recruiter’s menu for display based on
SAP Business Client for HTML.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_RECRUITER_CI_4.
SAP _ERC_RECRUITER_CI_4 Recruiter
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 615Role Description
SAP _ RCF _ RES _RECRUITER_ERC_CI_2 Restricted Recruiter (Obsolete)
This role contains the same authorizations as the Recruiter
role. However, restricted recruiters cannot change the status
of requisitions and publications (see authorization object P_
RCF _ STAT ).
Note
This role is available only if you activate the business func
tion HCM _ERC_CI_3.
This role is obsolete and has been replaced with the role
SAP _ERC_ RES _RECRUITER_CI_4.
SAP _ERC_ RES _RECRUITER_CI_4 Restricted Recruiter
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP E-Recruiting .
For more information, see the documentation for SAP E-Recruiting under Authorizations.
Standard Authorization Objects
Table 377:
Authorization Object Field Value Description
P_ RCF _WDUI RCF _APPL SAP E-Recruiting applications Authorization object that
specifies within SAP E-Re
cruiting which SAP E-Recruit
ing application a user can call.
The authorization object is
used for the recruiter''s, ad
ministrator''s, and data entry
clerk''s applications.
R_ RCF _VIEW RCF _VIEW Data Overview Authorization object that
specifies within SAP E-Re
cruiting which data overviews
a user can access.
Security Guide for SAP S/4HANA 1709
616 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
P_ RCF _ POOL RCF _ POOL The following ways to access Authorization object that
the candidate pool directly specifies within SAP E-Re
are available: cruiting which type of direct
● Status-Independent Ac access a user can have to the
cess to Candidates (DI candidates in the Talent Pool.
RECT_ACC)
● Recognition of Multiple
Applicants
(DUPL_CHECK)
● Maintenance of Candi
date Data ( CAND
_MAINT)
P_ RCF _ STAT OTYPE SAP E-Recruiting objects and Authorization object that
permitted object status specifies within SAP E-Re
RCF _ STAT
cruiting the authorization for
making status changes to
SAP E-Recruiting objects (for
example, candidate, applica
tion, candidacy).
P_ RCF _ACT ACTVT ● Add or Create Authorization object that
● Change specifies within SAP E-Re
● Delete cruiting which type of access
a user can have to activities.
An activity in SAP E-Recruit
ing is therefore identified
through the assigned process
and through the activity type.
CA_ POWL POWL _APPID, POWL _ CAT , ● POWL _APPID: ERC- Authorization object that
WORKCENTER specifies the authorizations
POWL _LSEL,
for the Personal Object Work
POWL _QUERY, list ( POWL ) iViews.
POWL _RA_AL,
POWL _TABLE
13.13.5.1.3.3 Manager
Using the Manager Involvement in E-Recruiting business function (Manager Self-Service) affects the two software
components SAP Enterprise Extension HR (EA-HR) and SAP E-Recruiting (ERECRUIT). You have to create an RFC
connection from the HR system (EA-HR) to the E-Recruiting system (ERECRUIT). You store an anonymous
service user (that was defined in the E-Recruiting system) for this RFC connection. The SAP
_RFC_MANAGER_SERVICE role is assigned to the service user.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 617Standard Roles
The following table shows the standard roles that are used by SAP E-Recruiting for managers .
Table 378: Standard Roles for Manager Scenario
Role Description
SAP _ RCF _MANAGER Manager
This role is required so that managers can access SAP E-Re
cruiting from the Portal ( Manager Self Service ).
The manager wants to fill the vacant jobs in his or her area. To
do this, the manager creates requisitions with the status In
Process that are then processed further by recruiters.
The role has access to the following data:
Candidate data: The manager can see only the candidate data
that is assigned to requisitions for which the manager is re
sponsible.
Requisition data and data for selection processes: The man
ager can only see data for which he or she is responsible.
The role also contains the authorization to respond to ques
tionnaires about candidates that are assigned to the relevant
requisitions.
SAP _RFC_MANAGER_SERVICE Service user
This role is required to request a requisition from the HR sys
tem. The service user to which this role is assigned must exist
in the E-Recruiting system.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP E-Recruiting .
For more information, see the documentation for SAP E-Recruiting under Authorizations (Recruitment) .
Table 379: Standard Authorization Objects
Authorization Object Field Value Description
P_ RCF _APPL RCF _APPL SAP E-Recruiting applications Authorization object that
specifies within SAP E-Re
cruiting which SAP E-Recruit
ing applications a user can
call.
Security Guide for SAP S/4HANA 1709
618 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
R_ RCF _VIEW RCF _VIEW SAP E-Recruiting data over Authorization object that
views specifies within SAP E-Re
cruiting which data overviews
a user can access.
P_ RCF _ POOL RCF _ POOL The following ways to access Authorization object that
the candidate pool directly specifies within SAP E-Re
are available: cruiting which type of direct
access a user can have to the
Status-Independent Access
candidates in the Talent Pool.
to Candidates (DIRECT_ACC)
Recognition of Multiple Appli
cants (DUPL_CHECK)
Maintenance of Candidate
Data ( CAND _MAINT)
P_ RCF _ STAT OTYPE SAP E-Recruiting objects and Authorization object that
permitted object status specifies within SAP E-Re
RCF _ STAT
cruiting the authorization for
status changes to SAP E-Re
cruiting objects (for example,
candidate, application, candi
dacy).
P_ RCF _ACT ACTVT Add or Create Authorization object that
specifies within SAP E-Re
Change
cruiting which type of access
Delete a user can have to activities.
An activity in SAP E-Recruit
ing is therefore identified
through the assigned process
and through the activity type.
13.13.5.1.3.4 Candidate
Standard Roles
The table below shows the standard roles that are used by SAP E-Recruiting for candidates .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 619Table 380: Standard Roles for Candidate Scenario
Role Description
SAP _ RCF _UNREG_CANDIDATE_CLIENT Unregistered Candidate (Client) (Obsolete)
This role contains the necessary authorizations for unregis
tered candidates/service users that are required on the front-
end system when using a separated system (front-end and
backend on different systems).
If you execute unregistered scenarios directly on the backend
system, you must also assign this role to the service user in
the backend system.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_ UNR _ CAND _CLIENT_CI_4.
SAP _ERC_ UNR _ CAND _CLIENT_CI_4 Unregistered Candidate (Client)
SAP _ RCF _UNREG_CANDIDATE_SERVER Unregistered Candidate (Server)
This role provides the necessary authorizations for an un
registered candidate/service user in SAP E-Recruiting that
are required on the backend system when using a separated
system (front-end and backend on different systems).
SAP _ RCF _UNREGISTERED_CANDIDATE (Unregistered) Candidate – Service User (Obsolete)
This role provides the necessary authorizations for an un
registered candidate/service user in SAP E-Recruiting that
are required when using the front-end and backend on one
system.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_ UNR _CANDIDATE_CI_4.
SAP _ERC_ UNR _CANDIDATE_CI_4 Unregistered Candidate
Security Guide for SAP S/4HANA 1709
620 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP _ RCF _EXT_CANDIDATE_CLIENT External Candidate (Client) (Obsolete)
This role contains the necessary authorizations for external
candidates that are required on the front-end system when
using a separated system (front-end and backend on different
systems).
Note
This role is obsolete and has been replaced with the role
SAP _ERC_EXT_ CAND _CLIENT_CI_4.
SAP _ERC_EXT_ CAND _CLIENT_CI_4. External Candidate (Client)
SAP _ RCF _EXT_CANDIDATE_SERVER External Candidate (Server)
This role provides the necessary authorizations for an external
candidate in SAP E-Recruiting that are required on the back
end system when using a separated system (front-end and
backend on different systems).
SAP _ RCF _EXTERNAL_CANDIDATE External Candidate (Obsolete)
This role may only display its own data. The role can only see
job postings that you published via publications using the ex
ternal posting channels.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_EXT_CANDIDATE_CI_4.
SAP _ERC_EXT_CANDIDATE_CI_4 External Candidate
SAP _ RCF _ INT _CANDIDATE_CLIENT Internal Candidate (Client) (Obsolete)
This role contains the necessary authorizations for internal
candidates that are required on the front-end system when
using a separated system (front-end and backend on different
systems).
If you allow internal candidates direct access to the backend
system, you must also assign this role to the reference user
for internal candidates in the backend system.
Note
This role is obsolete and has been replaced with the role
SAP _ERC_ INT _ CAND _CLIENT_CI_4.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 621Role Description
SAP _ERC_ INT _ CAND _CLIENT_CI_4 Internal Candidate (Client)
SAP _ RCF _ INT _CANDIDATE_SERVER Internal Candidate (Server)
This role provides the necessary authorizations for an internal
candidate in SAP E-Recruiting that are required on the back
end system when using a separated system (front-end and
backend on different systems).
SAP _ RCF _INTERNAL_CANDIDATE Internal Candidate (Obsolete)
This role may only display its own data. The role can only see
job postings that you published via publications using the in
ternal posting channels.
The role does not have access to the following data:
● Requisition data
● Posting data
● Application data
● Data for the selection process
Note
This role is obsolete and has been replaced with the
role SAP _ERC_ INT _ CAND _CLIENT_CI_4.
SAP _ERC_ INT _ CAND _CLIENT_CI_4 Internal Candidate
SAP _ RCF _ ESS _SR_ERC_CI_4 E-Recruiting Services for ESS (WDA) (Obsolete)
This role contains the authorizations in SAP E-Recruiting for
employees that use E-Recruiting services in ESS WDA (Em
ployee Self-Service Web Dynpro ABAP).
Note
This role is obsolete and has been replaced with the role
SAP _ERC_ INT _ CAND _CLIENT_CI_4.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP E-Recruiting .
For more information, see the documentation for SAP E-Recruiting under Authorizations (Recruitment) .
Security Guide for SAP S/4HANA 1709
622 P U B L I C SAP S/4HANA Business ApplicationsTable 381: Standard Authorization Objects
Authorization Object Field Value Description
P_ RCF _APPL RCF _APPL SAP E-Recruiting applications Authorization object that
specifies within SAP E-Re
cruiting which SAP E-Recruit
ing applications a user can
call.
The authorization object is
used for the (internal and ex
ternal) candidates'' applica
tions.
R_ RCF _VIEW RCF _VIEW SAP E-Recruiting data over Authorization object that
views specifies within SAP E-Re
cruiting which data overviews
a user can access.
P_ RCF _ STAT OTYPE SAP E-Recruiting objects and Authorization object that
permitted object status specifies within SAP E-Re
RCF _ STAT
cruiting the authorization for
making status changes to
SAP E-Recruiting objects (for
example, candidate, applica
tion, candidacy).
P_ RCF _ACT ACTVT ● Add or Create Authorization object that
● Change specifies within SAP E-Re
● Delete cruiting which type of access
a user can have to activities.
An activity in SAP E-Recruit
ing is therefore identified
through the assigned process
and through the activity type.
Table 382: Additional Standard Authorization Objects when Using Candidate Scenario with Front-end and Backend on Separate
Systems
Authorization Object Field Value Description
S_ RCF ACTTV Authorization object for RFC
access
RFC_NAME
(For more information, see
RFC_TYPE
the documentation for
Authorization Object S_RFC .)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 623Authorization Object Field Value Description
S_RFCALC ACTTV Authorization check for RFC
users (for example, Trusted
RFC_CLIENT
System )
RFC_EQUSER
(For more information, see
RFC_ INFO the documentation for
RCF _SYSID Authorization Object
S_RFCACL .)
RCF _TCODE
RCF _USER
S_ICF ICF_FIELD Internet Communication Authorization checks for us
Framework Service ing services in Internet Com
munication Framework
(SICF), for calling remote
function modules using an
RFC destination (SM59), and
for configuring proxy settings
(SICF).
(For more information, see
the documentation for
Authorization Object S_ICF .)
You can use the authorization
object S_ICF to safeguard the
use of RFC destinations and
access to individual SICF
services.
13.13.5.1.4 Session Security Protection
Definition
To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookies, we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Security Guide for SAP S/4HANA 1709
624 P U B L I C SAP S/4HANA Business ApplicationsSession Security Protection on the AS ABAP
To prevent access in JavaScript or plug-ins to the SAP logon ticket and security session cookies
(SAP_SESSIONID__), activate Secure Session Management . With an existing security session,
users can then start applications that require a user logon without logging on again. When a security session is
ended, the system also ends all applications that are linked to this security session.
Use the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your
AB ABAP system:
Table 383: Session Security Protection Profile Parameters
Profile Parameter Recommended Value Comment
icf/set_HTTPonly_flag_on_cookies 0 Client-dependent
login/ticket_only_by_https 1 Not client-dependent
For more information and detailed instructions, see section Activating HTTP Security Session Management on AS
ABAP in the AS ABAP security documentation.
13.13.5.1.5 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for SAP E-Recruiting is based on the topology used by the SAP NetWeaver platform.
Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also
apply to SAP E-Recruiting. Details that specifically apply to SAP E-Recruiting are described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by SAP E-Recruiting.
● Network Security
This topic describes the recommended network topology for SAP E-Recruiting. It shows the appropriate
network segments for the various client and server components and where to use firewalls for access
protection. It also includes a list of the ports needed to operate SAP E-Recruiting.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 62513.13.5.1.5.1 Communication Channel Security
Use
The table below shows the communication channels used by SAP E-Recruiting, the protocol used for the
connection, and the type of data transferred.
Table 384: Communication Paths
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Front-end client that uses DIAG All Customizing data Passwords
SAP GUI for Windows for the
application server
Front-end client that uses a HTTP, HTTPS All application data Passwords, personal data
Web browser for the applica
tion server
We generally recommend you
use HTTPS.
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Print
SAP E-Recruiting has numerous options for printing contents. For information about security when printing, see
SNC User’s Guide under http://service.sap.com/security → Security in Detail → Infrastructure Security .
13.13.5.1.5.2 Network Security
Definition
You can operate SAP E-Recruiting in different ways. You can run the front end and backend for candidates’ users
on different systems. You can also operate SAP E-Recruiting and the HR system integrated on one system or on
different instances.
We recommend that you run the front end and backend of candidates’ users on different systems and that you do
not integrate SAP E-Recruiting and the HR system on one system.
Security Guide for SAP S/4HANA 1709
626 P U B L I C SAP S/4HANA Business ApplicationsFirewall Settings
For more information, see Using Firewall Systems for Access Control in the SAP NetWeaver Security Guide.
Ports
SAP E-Recruiting runs on SAP NetWeaver and uses the ports from AS ABAP. For more information, see the topics
for AS ABAP Ports in the corresponding SAP NetWeaver Security Guides.
For other components, for example, SAPinst, SAProuter, or SAP Web Dispatcher, see also the document TCP/IP
Ports Used by SAP Applications, which is located on the SAP Service Marketplace at http://service.sap.com/
under Products Database & technology Security Infrastructure Security .
13.13.5.1.5.3 Communication Destinations
The following sections provide an overview of the communication destinations that are relevant for the user in the
SAP E-Recruiting roles.
13.13.5.1.5.3.1 Communication Destinations (Recruiter,
Administrator, and Data Entry Clerk)
The following table provides an overview of the communication destinations that SAPE-Recruiting uses.
You use the following communication destinations depending on which application you use to manage your HR
master data:
● If you use the SAP GUI transactions to maintain HR master data (for example, transactions PA*),
communication with SAP E-Recruiting runs via RFC connections.
● If you use the HR Administrative Services application, communication with SAP E-Recruiting runs via SAP PI
(Process Integration).
Table 385:
Destination Delivered Type User, Authorizations Description
SAP E-Recruiting to No RFC See Customizing Customizing: SAP E-
SAP Human Resources
Recruiting Applicant
Management
Tracking Activities
Set Up Data Transfer
for New Employees
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 627Destination Delivered Type User, Authorizations Description
From SAP Human Re No RFC See Customizing SAP E-Recruiting
sources Management
Technical Settings
to SAP E-Recruiting
SAP ERP Central
Component (ECC)
Integration Software
Runs on Different
Instances Set Up
Data Transfer from SAP
ECC
From SAP E-Recruiting No RFC See Customizing SAP E-Recruiting
to TREX
Technical Settings
User Administration
Create Special
Users
SAP E-Recruiting
Technical Settings
Search Engine Set
Up Search Engine for E-
Recruiting
From SAP E-Recruiting No XI messages Transfer external can
to HR Administrative didate''s data when hir
Services ing
From HR Administra No XI messages Return personnel num
tive Services to SAP E- ber of former external
Recruiting candidate to SAP E-Re
cruiting
Note
Changes to the HR master data are transferred to SAP E-Recruiting using the master data distribution in the
ALE scenario.
13.13.5.1.5.3.2 Communication Destinations for Manager
Involvement
The following table provides an overview of the communication destinations that SAP E-Recruiting uses for
Manager Involvement.
Security Guide for SAP S/4HANA 1709
628 P U B L I C SAP S/4HANA Business ApplicationsTable 386: Communication Destinations for Manager Involvement (Manager Self-Service)
Destination Delivered Type User, Authorizations Description
From HR system (Man No RFC See Customizing SAP Customizing
ager Self-Service) to Implementation Guide
SAP E-Recruiting → Integration with
Other SAP Components
→ Business Packages /
Functional Packages →
Manager Self Service →
Recruitment → Create
RFC Connection to E-
Recruiting System.
In the HR system, the methods of the CL_IM_HRRCF_REQUI_REQUEST class use the RFC connection to call
function modules in the E-Recruiting system.
The IF_HRASR00 GEN _SERVICE_ADVANCED~FLUSH method transfers information from the requisition request
form to the corresponding infotypes of SAP E-Recruiting.
The methods call the following function modules in the E-Recruiting system:
● HRRCF_MDL_ UIS _ATT_TYPE_ GET
● ERC_SE_REQUI_CREATE_RC
The IF_HRASR00 GEN _SERVICE~ GET _HELP_VALUES method fills the value helps for input fields in the
requisition request form with values from SAP E-Recruiting.
The method calls the following function modules in the E-Recruiting system:
● HRRCF_MDL_ UIS _VH_COMMON
● HRRCF_ GET _MANAGERS_FOR_SUBST
● HRRCF_MDL_VH_EMPLOYMENT_FRACT
● HRRCF_MDL_VH_SALARY_CURRENCY
● HRRCF_MDL_VH_SALARY_RANGE
● HRRCF_MDL_VH_CONTRACT_TYPE
● HRRCF_MDL_ UIS _SUPPORT_GRPS_ GET
The IF_HRASR00 GEN _SERVICE~DO_OPERATIONS method determines the manager''s substitutes in SAP E-
Recruiting. In addition, you can use the method to determine a user in SAP E-Recruiting for a personnel number.
The method calls the following function modules in the E-Recruiting system:
● HRRCF_ GET _MANAGERS_FOR_SUBST
● HRRCF_MDL_ UIS _USER_ GET
● HRRCF_MDL_ UIS _ASSIGNED_ GRP _GET
13.13.5.1.5.3.3 Communication Destinations (Candidates)
The following table provides an overview of the communication destinations that SAP E-Recruiting uses for the
candidate scenario with the front-end and backend on separate systems.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 629Table 387:
Destinations Delivered Type User, Authorizations Description
SAP E-Recruiting No RFC See Customizing SAP E-Recruiting
(front-end) to SAP E-
Technical Settings
Recruiting (backend)
User Interfaces
Candidate Frontend
Candidate Enter RFC
Destination of Receiving
Backend System
You enter the RFC des
tination as a value of
the RECFA UI2BL pa
rameter.
SAP E-Recruiting No RFC See Customizing SAP E-Recruiting
(backend) to SAP E-Re
Technical Settings
cruiting (front-end)
User Interfaces
Candidate Backend
Candidate Specify
System Parameters for
Web Dynpro
You enter the RFC des
tination as a value of
the RECFA BL2UI pa
rameter.
Note that the communication destination "SAP E-Recruiting (front-end) to SAP E-Recruiting (backend)" was
defined as a trusted system connection. In this connection, no users can be stored in the credentials. For more
information, see consulting note 1017866.
13.13.5.1.6 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For SAP E-
Recruiting, the following services are needed for the relevant roles:
● Administrator and Recruiter
○ All services with the prefix ERC in the path /default_host/sap/bc/webdynpro/sap/
You activate the services in Customizing for SAP E-Recruiting under Technical Settings → User Interfaces
→ Administrator and Recruiter → General Settings → Determine E-Recruiting Services.
● Candidates
○ All services with the prefix hrrcf in the path /default_host/sap/bc/webdynpro/sap/
○ All services in the path /default_host/sap/bc/erecruiting/
Security Guide for SAP S/4HANA 1709
630 P U B L I C SAP S/4HANA Business Applications○ All services with the prefix hrrcf_wd in the path /default_host/sap/bc/bsp/sap/
You activate the services in Customizing for SAP E-Recruiting under Technical Settings → User Interfaces
→ Candidate → Front-End Candidate → Specify E-Recruiting Services (Web Dynpro ABAP).
● Manager (within the framework of Manager Involvement)
○ default_host/sap/bc/erecruiting/dataoverview
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_dataoverview
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_requi_monitor
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_req_assess
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_tp_assess
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_qa_mss
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
○ default_host/sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
You activate the services in Customizing for SAP E-Recruiting under Technical Settings → User Interfaces
→ Manager Involvement → Specify E-Recruiting Services for MSS.
If your firewall(s) use(s) URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver documentation in SAP
Library.
For more information about ICF security, see the RFC/ICF Security Guide
13.13.5.1.7 Data Storage Security
Data Storage
The SAP E-Recruiting data is saved as follows:
● If you use SAP E-Recruiting integrated with other SAP applications, the data is saved in the SAP Web AS or
SAP ECC databases.
● If you use SAP E-Recruiting as a standalone application, the data is saved directly in the SAP E-Recruiting
databases. You do not require any other databases in addition to this standard.
SAP E-Recruiting stores the data in the following locations:
Table 388:
Data Location
Master Data PD infotype tables
Attachments and user-defined texts Knowledge Provider (KPro)
Search query logs Cluster table PCL _ RCF (SI)
Audit Trails Cluster table PCL _ RCF (SI)
Infotype Log Cluster table PCI_ RCF (IL)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 631Cookies
The application uses a Web browser. The SAP Web AS must issue cookies as well as accepting them.
13.13.5.1.8 Enterprise Services Security
The following chapters in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise
services delivered with SAP E-Recruiting:
● Security Guide Web Services
● Recommended WS Security Scenarios
● SAP Process Integration Security Guide
13.13.5.1.9 Other Security-Relevant Information
Virus Scan when Uploading Attachments
SAP E-Recruiting allows the user to upload files as attachments at various times in the program. Since
attachments can potentially contain viruses, these viruses could enter your system when you upload the
attachments. To reduce this risk as much as possible, we recommend you use an external virus scanner and
restrict the MIME types of the attachments.
In the Virus Scan when Uploading Documents Customizing activity, you activate the virus scan profile /
PAOC_RCF_BL/HTTP_UPLOAD that you use in SAP E-Recruiting to perform a virus check when uploading
attachments. In this way, you can include external virus scanners to increase the security of your system.
You can use the Business Add-In (BAdI) HRRCF00_DOC_UPLOAD to check files that are uploaded as
attachments to the E-Recruiting system. When doing so, you can use the CHECK_ATTACH_FILE_TYPE method to
specify which MIME types are permitted for the attachments. You call the BAdI using the BAdI: Upload Documents
Customizing activity.
Accessing Attachments using Microsoft Internet Explorer
You use Microsoft Internet Explorer and want to view attachments in the browser. Microsoft Internet Explorer
checks the contents of the attachment to determine the file type and to display the attachment correctly ( MIME
Type Sniffing ). Malicious files of an undesirable file type could therefore be displayed in the browser or cause
damage in some other way. To avoid this potential threat to security, deselect MIME Type Sniffing in the security
settings of Microsoft Internet Explorer .
Security Guide for SAP S/4HANA 1709
632 P U B L I C SAP S/4HANA Business Applications13.13.5.1.10 Security-Relevant Logging and Tracing
Application Log
SAP E-Recruiting uses the logging and tracing mechanisms from SAP NetWeaver. SAP E-Recruiting then writes
exceptions in the Application Log. These exceptions can occur due to failed authorization checks, for example,
and are therefore relevant for security.
For information about logging and tracing mechanisms of SAP NetWeaver Application Server (ABAP), see
Auditing and Logging under Application Logging, there is more information about the application log.
You can access the part of the application log specific to SAP E-Recruiting by using the transaction SLG1 (Analyze
Application Log) and entering the parameter Object = HRRCF .
Audit Trail
SAP E-Recruiting creates an audit trail with the candidate profile and search queries. For more information, see
Access Audit Trails.
13.13.5.1.11 Services for Security Lifecycle Management
The following services are available from SAP Active Global Support to assist you in maintaining security in your
SAP systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified Notes, if possible. If you cannot implement the Notes, the
report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 633Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail
● Security-relevant configuration parameters
● Critical users
● Missing security patches
This service is available as a self-service within the SAP Solution Manager or as a remote or on-site service. We
recommend you use it regularly (for example, once a year) and in particular after significant system changes or in
preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance to
predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway
configuration or making sure standard users do not have default passwords.
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how
to operate SAP systems and landscapes in a secure manner. It guides you through the most important security
operation areas and links to detailed security information from SAP''s knowledge base wherever appropriate.
Additional Information
For more information about these services, see:
● SAP EarlyWatch Alert: http://service.sap.com/ewa
● SAP Security Optimization Service / Security Notes Report: http://service.sap.com/sos
● Comprehensive list of SAP Security Notes: http://service.sap.com/securitynotes
● Configuration Validation: http://service.sap.com/changecontrol
● RunSAP Roadmap, including the Security and the Secure Operations Standard: http://service.sap.com/
runsap (See the RunSAP chapters 2.6.3, 3.6.3, and 5.6.3.)
13.13.5.2 Performance Management
About This Chapter
Security Guide for SAP S/4HANA 1709
634 P U B L I C SAP S/4HANA Business ApplicationsThis chapter of the Security Guide provides an overview of the security-relevant information for the Performance
Management (PA-PD-PM) application component.
Note
We use the name of the Performance Management to mean the same as the name Objective Setting and
Appraisals. Both names correspond to the technical application component ID PA-PD-PM.
Overview of the Main Sections of This Chapter
The following sections contain the security-relevant information that is specific to “Performance Management”:
● Important SAP Notes
This section provides information on why security is necessary and how the document is used, as well as
references to other Security Guides on which this Security Guide is based.
● Security Aspects for Data, Data Flow, and Processes
This section provides an overview of the security aspects of the most frequently used processes in
Performance Management.
● Authorizations
This section provides an overview of the authorization concept used for Performance Management.
● Network and Communication Security
This section provides an overview of the following aspects:
○ Communication Channel Security
○ Network Security
● Internet Communication Framework Security
This section provides an overview of the services for the Internet Communication Framework (ICF) used by
Performance Management.
● Data Storage Security
This section provides an overview of all critical data used by the scenario, component, and application as well
as the security mechanisms used.
● Other Security-Relevant Information
This section contains information on uploading and displaying attachments.
● Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information and that
enable you to reproduce activities, for example, if there is a security violation.
13.13.5.2.1 Technical System Landscape
Overview of the technical system landscape for Performance Management:
● Front-end system: Web Dynpro for ABAP in applications in Manager Self-Service and Employee Self-Service
● Back-end system: Customizing for the Objective Setting and Appraisals application component (for example,
Customizing for applications using Web Dynpro technology for ABAP).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 635● Back-end system: Transactions for administrators and HR specialists
● Download of Documents from the Back-End System in Knowledge Provider (KPRo)
● Workflow
Example: Sending notifications to mangers or employees
● SAP Interactive Forms by Adobe
For offline processing of the appraisal document (downloading and uploading of appraisal documents).
For more information, see the guide for SAP Interactive Forms by Adobe under SAP Interactive Forms by
Adobe Security Guide.
● Printing of Appraisal Documents
○ SAP Smart Forms
○ PDF-based print form
For more information about the technical system landscape, see the sources listed in the table below.
Table 389:
Topic Guide/Tool Quick link to SAP Service Marketplace
or SDN
Technical description of SAP ERP and Master Guide http://service.sap.com/instguides
basic components such as SAP
NetWeaver
High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha
Design of the technical landscape See available documents http://sdn.sap.com/irj/sdn/landscape
design
Security See available documents http://sdn.sap.com/irj/sdn/security
13.13.5.2.2 Security Aspects for Data, Data Flow, and
Processes
In Performance Management, data for the appraisal process are processed as follows:
● For Managers in the Manager Self-Service applications.
For more information about the Manager role, see the S/4HANA Security Guide and choose: Human
Resources Self-Services Manager Self-Service .
● For Employees in the Employee Self-Service applications.
For more information about the Employee role, see the S/4HANA Security Guide and choose Human
Resources Self-Services Employee Self-Service .
Example
Managers as well as employees can work on appraisal documents in the applications (Web Dynpro for ABAP).
The system saves the relevant data to the database. The system saves attachments to files (such as appraisals
by an additional appraiser) in the Knowledge Provider (KPro).
Security Guide for SAP S/4HANA 1709
636 P U B L I C SAP S/4HANA Business Applications13.13.5.2.3 Authorizations
Performance Management uses the authorization concept provided by SAP NetWeaver Application Server for
ABAP (AS ABAP). Therefore, the security recommendations and guidelines for authorizations detailed in the SAP
NetWeaver Security Guide ABAP also apply to Performance Management.
The SAP NetWeaver authorization concept is based on the assignment of authorization to users based on role.
For role maintenance, use the profile generator (transaction: Role Maintenance (PFCG)) on the SAP NetWeaver AS
for ABAP.
Note
For more information about creating roles, see Role Maintenance under Identity Management.
Authorizations for personnel appraisal implemented in Human Resources have a special significance. The
Performance Management application component uses objects from the following components, among others:
● Manager Self-Service
For more information, see Authorizations in Manager Self-Service.
● Employee Self-Service
For more information, see Authorizations in Employee Self-Service.
● Organizational Management
● Personnel Development
● Training and Event Management
● SAP Learning Solution
For more information, see Authorizations in SAP Learning Solution.
The Performance Management application component is therefore subject to the general authorization checks in
the corresponding application component. Furthermore, the object type Person (P) in Performance Management
is of central importance since this object type can be used for appraisers and appraisees (particularly for
personnel appraisals). This means that standard checks for people in the SAP system are also valid for
Performance Management. Furthermore, Performance Management has additional authorization aspects for
controlling authorizations in this application that are realized using specific authorization object and authorization
controlling in the Customizing settings for the appraisal template.
For more information about the authorization checks, see General Authorization Check and Structural
Authorization Check (see SAP Library for S/4HANA and choose Human Resources HR Tools
Authorizations for Human Resources ).
13.13.5.2.3.1 SAP Standard Roles
The following SAP standard roles are used in Performance Management:
PFCG roles for the flexible appraisal process
● SAP_HR_HAP_PMG_ADMIN_SR - Administrator
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 637The authorizations for this role include the following:
○ Applications based on Web Dynpro technology for ABAP, such as Configure User Interfaces for Template
(HAP_CONFIGURATION)
○ Transactions (for example, administrator functions (PHAP_ADMIN_PA), appraisal catalog
(PHAP_CATALOG_PA), Change Appraisal (PHAP_CHANGE_PA), Transport Appraisal Template
(PHAP_TRANSPORT))
● SAP_HR_HAP_PMG_MANAGER_SR - Manager
For example, this role contains the authorizations for applications based on Web Dynpro technology for
ABAP:
○ Appraisal Document (HAP_MAIN_DOCUMENT)
○ Employee Document Overview (HAP_START_PAGE_POWL_UI_MSS)
○ Application based on Web Dynpro technology for ABAP: Creation and Cascading of Team Goals
(HAP_A_PMP_GOALS)
● SAP_HR_HAP_PMG_EMPLOYEE_SR - Employee
For example, this role for employees contains the authorization for applications based on Web Dynpro
technology for ABAP:
○ Appraisal Document (HAP_MAIN_DOCUMENT)
○ Employee Document Overview (HAP_START_PAGE_POWL_UI_ESS)
● SAP_HR_HAP_PMG_GOALS_SR - Specialist for Corporate Goals
This role for applications based on Web Dynpro technology for ABAP contains authorization for the following:
Creation and Cascading of Corporate Goals and Core Values (HAP_A_PMP_GOALS)
PFCG roles for the Predefined Performance Management Process
● SAP_HR_HAP_PMP_ADMIN_SR - Administrator
The authorizations for this role include the following:
○ Applications based on Web Dynpro technology for ABAP (such as the creation wizard for appraisal
templates (HAP_A_TM_CONF), Edit Performance Management Process (HAP_A_PMP_TIMELINE))
○ Transactions (for example, administrator functions (PHAP_ADMIN_PA), appraisal catalog
(PHAP_CATALOG_PA), Change Appraisal (PHAP_CHANGE_PA), Transport Appraisal Template
(PHAP_TRANSPORT))
● SAP_HR_HAP_PMP_MANAGER_SR - Manager
For example, this role for managers contains the authorizations for applications based on Web Dynpro
technology for ABAP:
○ Appraisal Document (HAP_A_PMP_MAIN)
○ Employee Document Overview (HAP_A_PMP_OVERVIEW)
○ Application based on Web Dynpro technology for ABAP: Creation and Cascading of Team Goals
(HAP_A_PMP_OVERVIEW)
● SAP_HR_HAP_PMP_EMPLOYEE_SR - Employee
For example, this role for employees contains the authorization for applications based on Web Dynpro
technology for ABAP:
○ Appraisal Document (HAP_A_PMP_MAIN)
○ Employee Document Overview (HAP_A_PMP_EMPLOYEE)
● SAP_HR_HAP_PMP_GOALS_SR - Specialist for Corporate Goals
This role for applications based on Web Dynpro technology for ABAP contains authorization for the following:
Creation and Cascading of Corporate Goals and Core Values (HAP_A_PMP_GOALS)
Security Guide for SAP S/4HANA 1709
638 P U B L I C SAP S/4HANA Business ApplicationsAdditional PFCG Roles
Note
The following roles are also available in the system: In place of these roles, we recommend you use the roles
listed above.
● SAP_HR_HAP_ADMINISTRATOR
(Administrator – Appraisals and objective setting agreements)
● SAP_HR_HAP_MANAGER
(Manager Flexible – Appraisals and objective setting agreements)
● SAP_HR_HAP_EMPLOYEE
(Employee Flexible – Appraisals and objective setting agreements)
Caution
You can call standard roles with the role maintenance transaction (PFCG). You must copy these standard roles
into a customer-specific namespace for custom implementation to get custom specifications for the roles.
When you enter a new name, note that it may not contain an SAP-specific name (SAP, "_"). This is to ensure
that a clear distinction can be made between customer-specific roles and standard SAP roles.
13.13.5.2.3.2 Overview of Authorization Objects
In Performance Management, the following authorization objects are essential for enabling users to access the
application component for the following roles:
● Transaction authorizations (S_TCODE, P_TCODE)
● Access to HR master data (P_ORGIN/CON, P_PERNR)
● Access to objects in the Personnel Planning database (PLOG)
● Access to appraisals (P_HAP_DOC)
You can control the following for users with named roles using various authorization object fields:
● Activity (display, edit, delete)
● Object set (persons, appraisal templates)
● Content (infotypes)
For more information about structural authorizations, see SAP Library under ERP Central Component
Human Resources Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 63913.13.5.2.3.2.1 Authorization Objects S_TCODE and P_TCODE
Authorization object that is used to check whether a user is authorized to start the different HR transactions. The
transaction code is checked.
Use
Regardless of the application, the authorization object S_TCODE is used to check authorizations for starting the
transactions defined for an application.
The authorization object P_TCODE is used to check the authorization for starting various HR transactions. The
additional check using P_TCODE provides added security for personal data and is therefore used for numerous
transactions in HCM applications (such as PA40, PHAP_CHANGE_PA). The authorization object P_TCODE is not
used in all HR transactions. Generally, it is used in HR applications where HR-specific authorization objects are not
checked when a transaction is called. For more information about this authorization object, see P_TCODE (HR
transaction code). .
Necessary Setting for Performance Management:
Transaction code field: PHAP_*_PA (depending on role, specify exact transaction). For administrators, you must
include transactions starting with OOHAP_*.
For more information about the authorizations, see SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
13.13.5.2.3.2.2 Authorization object PLOG (Personnel
Planning)
An authorization object that is used to check the authorization for specific fields in the Personnel Management
components (Organizational Management, Personnel Development, Training and Event Management, SAP
Learning Solution, and so on).
Use
Necessary Setting for Performance Management:
INFOTYP: 1000, 1001, 1002, 1048, 5020, 5021, 5022, 5023, 5024, 5025, 5026
Security Guide for SAP S/4HANA 1709
640 P U B L I C SAP S/4HANA Business ApplicationsISTAT: 4, 3
OTYPE: VA, VB, VC
PLVAR: *
PPFCODE: Change for Customizing/Administrators, Display for End-Users
SUBTYP: 0001, 5020, A605, A606, A607, B605, B606, B607
Note
The object types have the following meaning:
● VA = Appraisal template
● VB = Criteria group
● VC = Criterion
The Customizing settings for the appraisal templates are made in the aforementioned infotypes (transaction
PHAP_CATALOG_PA). Therefore, end users must have at least read authorization for these infotypes. If the
appraisal templates include further object types as a result of using free enhancements (such as Add Business
Event Type) or fixed enhancements (such as Add Individual Development Plan Item), additional authorizations are
required for these object types, for example:
● Q = Qualifications
● O = Organizational unit
● S = Position
● C = Job
● D = Course type
● F = Location
● A = Work center
Since individual development plans can also include further standard object types and customer-specific object
types, you must also include these when setting up authorizations according to the particular implementation.
For more information on the authorizations, see the SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
13.13.5.2.3.2.3 Authorization Object P_HAP_DOC
An authorization object used to check authorizations for accessing appraisal documents.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 641Use
Among other things, the distribution of authorization for appraisal templates and appraisal documents is
controlled using this authorization object. For more information about this authorization object, see P_HAP_DOC
(Appraisal Systems: Appraisal). The P_HAP_DOC authorization object contains the following fields, which are
tested during an authorization check:
Table 390:
Authorization Field Description
ACTVT Activity (display, change, delete)
PLVAR Plan version (usually active plan version 01)
HAP_CAT_G Appraisal category group ID (determines the appraisal cate
gory groups that a user can access). The appraisal category
groups are contained in table T77HAP_C_GRP (process using
transaction OOHAP_CAT_GROUP). For personnel appraisals,
use category group 00000001 (see also SAP Note number
497773).
HAP_CAT Appraisal category ID (determines the appraisal categories
that a user can access). Appraisal categories are customer-
specific and created in transaction PHAP_CATALOG_PA. They
are saved in table T77HAP_C. You can display the numbering
of the categories using transaction OOHAP_CATEGORY.
HAP_TEMPL The appraisal template ID. An appraisal template is customer-
specific and created in transaction PHAP_CATALOG_PA. It is
an object of type VA. In this field, enter the eight-digit object
ID from table HRP1000 of object type VA. This dictates the
appraisal templates a user can access.
PROFL Authorization profile. This field is only used if structural au
thorizations are used. (See Structural Authorizations in Per
formance Management).
Necessary Settings for PM:
ACTVT: *
PLVAR: *
HAP_CAT_G: 00000001 (for personnel appraisals)
HAP_CAT:* HAP_TEMPL:* (restrict by customer if necessary)
PROFL: *
Note
You should not assign the authorization object P_HAP_DOC on its own since it is only effective when used in
combination with other authorization objects. You must assign it together with the authorization objects PLOG
and P_ORGIN(CON). The authorization object PLOG enables users to access appraisal templates and the criteria
Security Guide for SAP S/4HANA 1709
642 P U B L I C SAP S/4HANA Business Applicationsthey contain (see Authorization Object PLOG [page 640]). The authorization object P_ORGIN(CON) enables users
to access HR data (see Authorization Object P_ORGIN / P_ORGINCON). The authorization object P_PERNR is
also required to enable users to access their own HR master data (for example, for ESS scenarios) (see
Authorization Object P_PERNR).
For more information about the authorizations, see SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
13.13.5.2.3.2.4 Authorization Objects P_ORGIN
An authorization object used to check the authorization for accessing HR master data.
Use
The checks are run when HR infotypes have to be processed or read. In Performance Management, the persons
for whom the user is allowed to process appraisal documents must be authorized via authorization object
P_ORGIN. The authorization check is run here using the following fields:
Table 391:
Authorization Field Description
INFT Infotype
SUBTY Subtype
AUTHC Authorization level (such as read, write, matchcode)
PERSA Personnel area (from infotype 0001)
PERSG Employee group (from infotype 0001)
PERSK Employee subgroup (from infotype 0001)
VDSK1 Organizational key (from infotype 0001)
Necessary Settings for Performance Management:
INFTY: Usually, 0000, 0001, 0002 (depending on the organizational area for which the user is responsible)
SUBTY: *
AUTHC: Read and matchcode
PERSA: (depending on the organizational area for which the user is responsible)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 643PERSG: (depending on the organizational area for which the user is responsible)
PERSK: (depending on the organizational area for which the user is responsible)
VDSK1: (depending on the organizational area for which the user is responsible)
Note
The authorization object P_ORGIN provides the user with the necessary authorizations he or she needs to access
personnel data. This authorization object is mandatory, that is, you cannot define the use of this authorization
object as being optional by activating the structural authorizations in Performance Management (table T77S0,
switch HAP00/AUTHO). Rather, the structural authorizations comprise an additional filter for accessing appraisal
documents for the permitted set of persons (see Structural Authorizations in Performance Management [page
647]). To assign authorizations for accessing infotypes in the authorization object P_ORGIN, you do not need to
assign specific infotypes in Performance Management. From a technical perspective, it is sufficient in
Performance Management if a person is included in the fields PERSA, PERSG, PERSK, VDSK1 in the permitted
amount. However, to ensure consistency for the user (for example, in the display of additional personal data in the
appraisal document, in the search function for persons with particular infotype values for filling out selection
criteria in Performance Management) it is generally beneficial to provide the user with authorizations for the
Actions (0000), Organizational Assignment (0001), and Personal Data (0002) infotypes for the persons for whom
the user is to process appraisal documents. It should not be necessary that a user is able to process a person’s
appraisal document but not read this person’s organizational assignment. Such a requirement is not logical from
the perspective of the process.
For more information on the authorizations, see the SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
13.13.5.2.3.2.5 Authorization Object P_ORGINCON
An authorization object that is used during the authorization check for HR data. This check takes place when HR
infotypes are edited or read.
Use
You can use this authorization object if structural authorizations are to be checked in context when checking the
authorization to access HR master data. This authorization object is used for the authorization check for
personnel data. This check takes place when HR infotypes are edited or read. This authorization object consists of
the same fields as the authorization object P_ORGIN, and also includes the field PROFL (structural profile).
Running the check against this object enables user-specific contexts (using Organizational Management) to be
depicted in HR master data.
Security Guide for SAP S/4HANA 1709
644 P U B L I C SAP S/4HANA Business ApplicationsFigure 9: Example for context-sensitive authorization checks
The checks are made context-sensitive by controlling the various structural sets of persons to different contexts
as shown in the example above.
The PROFL field determines the structural profiles the user can access for a particular context. These structural
profiles must be assigned to the user in table T77UA.
If you use the Business Add-In (BAdI) HRBAS00_GET_PROFL, you do not need to maintain table T77UA manually.
This BAdI enables you to implement an alternative method for determining structural profiles. The example
source code in the standard system determines the user’s structural profiles by reading the values entered for the
authorization object P_ORGINCON in the user master record.
Structural authorizations in authorization object P_ORGINCON can also be used in combination with structural
authorizations in Performance Management (see structural authorizations in Performance Management).
For more information on the authorizations, see the SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 64513.13.5.2.3.2.6 Authorization Object P_PERNR
This authorization object is used to control the user’s access to his or her own personnel number and the related
HR data separately.
Use
The personnel number is assigned to the user in the Communication infotype (0105) (subtype 0001 System User
Name). Access to an employee’s own master data is used primarily in ESS scenarios in which the user is only to
have access to his or her own master data to edit or display this information. To enable access authorizations for
the employee’s own personnel number to be controlled using the authorization object P_PERNR, the main switch
must be activated in table T77S0 (transaction OOAC, switch AUTSW/PERNR). The authorization check is run for
the following fields:
Table 392:
Authorization Field Description
INFTY Infotype
SUBTY Subtype
AUTHC Authorization level (such as read, write, matchcode)
PSIGN Interpretation of own personnel number (I, include own per
sonnel number, E, exclude own personnel number)
Necessary Settings for Performance Management:
INFTY: Dummy–depends on the ESS scenarios used outside of Performance Management.
SUBTY: Dummy–depends on the ESS scenarios used outside of Performance Management.
AUTHC: *
PSIGN: I (include)
Note
If you use the authorization object P_PERNR, the authorization object P_ORGIN/CON is superfluous. That is, a
user who is to be permitted to access his or her own personnel number only (for example, for ESS scenarios), is
given all the authorizations required using the authorization object P_PERNR. Therefore, an additional setting for
the authorization object P_ORGIN/CON is not required. This also applies to Performance Management.
Security Guide for SAP S/4HANA 1709
646 P U B L I C SAP S/4HANA Business ApplicationsFor more information on the authorizations, see the SAP Library under ERP Central Component Human
Resources Management Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources Management .
13.13.5.2.3.3 Structural Authorizations in Performance
Management
Special structural authorizations exist for Performance Management. These authorizations enable you to control
access to appraisal documents for persons from defined areas of Organizational Management.
This extended authorization check (structural, context-sensitive authorizations) is activated using the switch
HAP00/AUTHO in table T77S0. This switch is specific to Performance Management authorizations.
Example
Example A: Structurally controlled access
The standard SAP authorization check assumes that, once defined, the authorizations (such as change
appraisal documents) for a user always apply even when a manager takes on a substituting role for a different
organizational unit. If you activate the extended authorization check, you can dictate that a manager can
change appraisal documents for employees in his or her organizational unit while he or she can only display
appraisal documents for employees in the organizational unit for which he or she is a substitute.
Example
Example B: Structurally controlled access
A user has authorization to read the mini-master record for all employees at a company (P_ORGINCON for
infotypes 0000, 0001, 0002 for structural profile A, which is valid for the entire company). This user can
maintain simultaneously all infotypes for the employees in his or area of responsibility, displayed via a link
between his or her position and the organizational unit for which the user is a substitute (P_ORGINCON for all
infotypes for a structural profile B that is valid for the entire area of responsibility). You can use the
authorization object P_HAP_DOC to enable the user to display and change the appraisal documents for
employees in his or her area of responsibility (structural profile B) and to specify that the user cannot display or
change the appraisal documents for employees with structural profile A.
Example
Example C: Structurally and context-sensitively controlled access
A user has the structural profiles outlined in example B.
● Structural profile A for access across whole company
● Structural profile B for area of responsibility
You can also use the authorization object P_HAP_DOC to create a context-sensitive reference to the permitted
templates. This means the user can see appraisals from a certain appraisal template, such as qualification
checklists, for structural profile A, that is, company-wide. By defining a further setting for the authorization
object P_HAP_DOC, you can give the user authorization to access all appraisal templates (such as objective
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 647setting agreements, assessments of potential, performance appraisals) that exist in his or her area of
responsibility (structural profile B) for the same user.
For more information about structural authorizations, see SAP Library under ERP Central Component
Human Resources Personnel Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources .
13.13.5.2.3.3.1 Activating HAP00/AUTHO and Using PA
Infotype Authorizations (P_ORGIN) without
Structural Authorizations
This combination means that structural restrictions are made during authorization checks only for Performance
Management and the associated access to personnel appraisals. This is opposed to Personnel Administration,
where no structural authorization checks are used.
This means that when HAP00/AUTHO is active, a structural profile must be entered in the authorization object
P_HAP_DOC and the user must be entered together with this structural profile in table T77UA.
If, in this authorization object, the value * remains in the Authorization Profile field and the user has not been
entered in table T77UA, the system interprets this value as structural profile ALL. That is, the user has the
authorizations to access the same employee data as defined in the authorization object P_ORGIN. If no value, or
an invalid value, is entered in the Authorization Profile field for the authorization object P_HAP_DOC, the user
cannot access any personnel appraisals (he or she can, however, access the corresponding infotypes in Personnel
Administration).
Access using structural authorizations is only possible in Performance Management when a structural profile has
been entered in the authorization object P_HAP_DOC and the user in entered in table T77UA has a valid entry for
this structural profile.
If this is the case, the structural authorizations function as follows:
● Filter Function
Example
In Personnel Administration, a user has authorization for all employees in employee subgroup AT
Employees. However, the user is to be able to display and process appraisal documents only for those AT
employees who are in his or her area of responsibility. To enable this, the structural profile for the user''s
area of responsibility is entered in the authorization object P_HAP_DOC.
Explanation
The user can only access the personnel appraisals for persons included in his or her structural profile. You
can report on the object that can be accessed using the report RHUSERRELATIONS (up to Release 4.7) or
using table T77UA (as of the Enterprise Release, using the Display Objects function).
This means that structural authorizations for Performance Management work like a filter for people
authorized by P_ORGIN: Users can see and process a certain number of people in Personnel
Administration via authorization object P_ORGIN. The user can display and maintain only those appraisal
documents for persons who are ALSO included in the structural profile of the authorization object
P_HAP_DOC (filter/subset).
Security Guide for SAP S/4HANA 1709
648 P U B L I C SAP S/4HANA Business Applications● Context Sensitivity
Example
For persons in area A, a user is to be able to view and/or edit the appraisal template A, Objective Setting
Agreements, only. For persons in area B, the user is to be able to view and/or edit the appraisal template B,
Qualification Appraisals, only. This means that the user is not able to show or process the B appraisals, or
Qualification Appraisals, for employees from area A.
The role requires two instances of the authorization object P_HAP_DOC that differ in the following fields:
Table 393:
Appraisal Template Field Authorization Profile Field
1. Proficiency Template A: Objective Setting Agree Structural Profile A: Area A
ments
2. Proficiency Template B: Qualification Appraisals Structural Profile B: Area B
Explanation
A distinction is made between the user''s authorizations so that he or she can access different appraisal
templates and perform different activities in appraisal templates for the various areas in Organizational
Management (context sensitive).
Using report RHUSERRELATIONS (up to Release 4.7) or in table T77UA (as of Enterprise Release, Display
Objects function) you can determine the combination of structural profiles possible for the user (that is, for
which persons he or she can access a particular appraisal template and perform specific activities for this
appraisal template).
13.13.5.2.3.3.2 Activating HAP00/AUTHO and Using
P_ORGINCON (with Structural HR
Authorizations)
This setting means that structural authorizations are used to control access to HR master data and personnel
appraisals in Performance Management.
To use the authorization object P_ORGINCON, activate the switch AUTSW/INCON in table T77S0.
You must also enter a structural profile in the authorization object P_ORGINCON and P_HAP_DOC.
The user requires a structural profile for all other object types in Organizational Management that do not belong to
Performance Management but for which the user nevertheless has authorization using the authorization object
PLOG.
In this combination, authorizations between HR master data and appraisals generally work in the same way as
described in Structural Authorizations in Performance Management [page 647]. In addition, further context-
sensitive authorization checks (in combination with structural profiles from Organizational Management) are
possible.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 649If you use both structural, context-sensitive authorization objects P_ORGINCON and P_HAP_DOC, note the
following:
● It is not sufficient to give the user a structural profile using authorization object P_HAP_DOC. To enable the
user to access employee master data, you must also make a setting for the authorization object
P_ORGINCON [page 644] (see also Authorization Object P_HAP_DOC [page 641]).
● You can give the user authorization to access a broader range of HR master data compared with appraisal
documents.
Example
In the profile for P_ORGINCON, a user can access the infotypes 0000, 0001, 0002 for all employees at the
company who belong to the employee subgroup AT. The structural profile ALL in the authorization object
P_ORGINCON (structural profile A) provides the user with this authorization. The user also has a further
instance of the authorization object P_ORGINCON that permits him or her to maintain all infotypes for
employees in his or her area of responsibility (structural profile B for defining the area of responsibility in
Organizational Management).
In the user profile for the authorization object P_HAP_DOC, the user is given authorization to access
appraisal documents for employees in his or her area of responsibility (structural profile B) as opposed to
for the entire company, ''ALL'' profile (structural profile A). This ensures that the user can access the
appraisal documents for employees in his or her area of responsibility but not the appraisal documents for
employees who belong to the employee subgroup AT, which is valid for the whole company.
● If you use the BAdI HRBAS00_GET_PROFL as opposed to maintaining table T77UA manually (see also
Authorization Object P_ORGINCON [page 644]), note that you must also consider the structural profiles from
the authorization object P_HAP_DOC.
13.13.5.2.3.4 Controlling Authorizations and Access Using
Customizing
The following infotypes are displayed in the form of tab pages and control authorization and access:
● Column Access
● Processing
● Roles
13.13.5.2.3.4.1 Tab: Column Access (Infotype 5023)
On this tab page, you make the settings for access to columns within the (part) appraisal process. You specify
display and change authorizations for elements in the appraisal template. You make the following settings:
● You specify the column owner of each separate column group.
You can use an implementation of the BAdI HRHAP00_COL_OWNER to implement customer-specific column
access.
● You specify who is authorized to perform which activities in each phase of the appraisal process and which
columns are to be shown in the appraisal template.
Security Guide for SAP S/4HANA 1709
650 P U B L I C SAP S/4HANA Business ApplicationsYou can only assign authorizations that are dependent on the various phases to either the column owner or all
other participants involved in the appraisal process. You define who has authorization to execute an activity in a
particular phase separately for column owners and all other participants. You can exclude the appraiser from the
setting so that he or she has access in every phase (see example below).
You can define the following column access authorizations, for example:
● Free column access for all participants during the entire appraisal process This setting defines that all
participants can display all part appraisals at any time and make changes to the appraisal document.
● Change or display authorization for column owners only. This setting defines that only column owners can
display a column or make changes in a specific appraisal phase.
● On this tab page you can use input help to define that columns are only to be visible to certain participants in
the individual phases. To do this, choose the value Hide.
The infotype consists of:
● Checkbox: Default
Use input help to select default entries for access authorizations. Click on the Default Access button to
transfer the entries to the Column Access group box.
● Indicator: Changes
You can accept the transferred defaults without restriction or, if necessary, you can change entries in the
individual cells. If you make and save any changes, the changed field is marked with an indicator. This makes it
easier for you to identify whether these settings are default entries.
● Group box: Column Access
In this group box, you make setting for column access.
Example
You depict a part appraisal process with one appraiser (manager), one appraisee (employee), and several part
appraisers (colleagues). In the Part Appraisal column, the Part Appraisee (employee) is the default column
owner. In the Part Appraisal phase, you assign the column owner change authorization and define that all other
participants do not have access during this phase of the part appraisal.
In many cases, you might want the manager to have at least display authorization. You can assign the manager
with the necessary authorizations (for example, Display for Appraiser, Hide for Others) by using input help. This
ensures that the column is not displayed for all other part appraisers and that the appraiser has display
authorization for the part appraisal column.
Note
● The column access defined for the Part Appraisal (PAPP) and Final Appraisal (FAPP) columns is possible
when one of the following columns is present in the appraisal template:
○ In Process
○ Completed
○ Approved
○ Rejected
● The Objective Setting (OBJ0) column comprises all objective setting columns (OBJ* and QBH*). The Part
Appraisal (PAPP) column comprises the Part Appraisal Weighting (PWGT) and Part Appraisal (PAPP)
columns. This is because the SAP system always processes the relevant columns simulataneously.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 651● If, for a particular phase, a user has Change access to the Objective Setting (OBJ0) column, he or she can
use the Free Enhancement function. If this column is not present, the SAP sytem checks whether the user
has Change access to the Final Appraisal (FAPP) column for this phase. If this is the case, the user can use
a Free Enhancement for this phase.
● The column access defined for the Part Appraisal (PAPP) and Final Appraisal (FAPP) columns is possible
when one of the following columns is present in the appraisal template:
○ In Process
○ Completed
○ Approved
○ Rejected
You can use an implementation of the BAdI HRHAP00_COL_ACCESS to define customer-specific column
access.
13.13.5.2.3.4.2 Tab: Processing (Infotype 5025)
● Setting: Self Appraisal Not Allowed
If this setting is activated, a user (that is the user who is logged on) cannot simulataneously perform the role
of appraiser and appraisee.
● Setting: No Authorization Check for Appraiser
If this setting is activated, an authorization check is not performed for the appraiser. This means that even if a
user does not have authorization for the appraiser''s person, he or she can nevertheless display and edit all
appraisal documents that include this appraiser.
Example
An appraiser has access only to the HR master data of employees in the employee subgroup Salaried
Employees. That is, he or she can display and edit the appraisal documents for these employees. However,
these employees can be appraised by an employee from a different employee subgroup (such as Managing
Employees). In this case, the administrator does not have access to the appraiser''s person. To enable the
administrator to nevertheless evaluate and edit appraisal documents for employees in the Employees
subgroup, you use the setting No Authorization Check for Appraiser setting. Consequently, the appraiser''s
data is not checked for authorization and the administrator can also access the appraisal documents of
appraisers in different areas.
● Setting: Processing Archived Appraisal Documents
Archived appraisal documents refer to completed appraisal documents. This setting determines whether
completed appraisal documents can be deleted in transaction PHAP_CHANGE_PA. If you want this to be
possible, select Delete or Reset and Delete. However, if you do not want this to be possible, select Do Not
Reset or Delete.
To enable the user to delete completed appraisal documents in transaction PHAP_CHANGE_PA, he or she
must have the relevant authorization in authorization object P_HAP_DOC (value 06 -Delete).
Regardless of this Customizing setting and the user''s authorizations defined for this setting 06 -Delete, the
user can always delete completed appraisal documents in transaction PHAP_ADMIN_PA provided that he or
she is permitted to use this transaction.
Security Guide for SAP S/4HANA 1709
652 P U B L I C SAP S/4HANA Business Applications13.13.5.2.3.4.3 Tab: Roles (Infotype 5024)
The Roles tab defines which roles in the appraisal templates are to be used for part appraisals.
You can use roles to define the relationship between the part appraiser and appraisee in the appraisal process.
You can edit roles explicitly in the SAP system or have a BAdI (HRHAP00_SELECTION) determine the roles from
the enterprise''s organizational structure.
You can use roles to restrict or control part appraisal authorizations at the level of individual elements. You make
the relevant settings for individual elements in the Customizing settings for the Roles tab. If you do not use the
role Colleague for a particular element in the appraisal template, this element cannot be appraised by the
appraisee''s colleague, for example.
This allows you to differentiate between the manager''s part appraisal authorizations and the employee''s part
appraisal authorizations in relation to part appraisal columns in the same appraisal template.
Caution
The roles to be used in the appraisal process must be selected at category and appraisal-template level.
Example
Roles delivered in the standard system:
● Colleague
The SAP system uses the organizational structure to identify this role. It interprets all employees located
on the same hierarchical level of the organizational structure as colleagues.
Caution
Organizational Management must be implemented.
● Manager
The SAP system uses the organizational structure to identify this role. It interprets the employee with a
managerial function who is located one level higher than the employee in the hierarchical structure as the
manager.
Caution
Organizational Management must be implemented.
● Self
The SAP system identifies this role using the user and, if required user''s personnel number (from the
Communication infotype (0105)). The SAP system can only read the personnel number via the user.
Caution
The Communication infotype (0105) must be available for people.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 65313.13.5.2.3.4.4 BSP-Specific Authorization Checks
For information about the authorizations for the BSP application, see SAP Note 616900 .
13.13.5.2.3.4.5 BAdI for Authorization Checks
The BAdI HRHAP00_AUTHORITY is delivered for extended authorization checks and it can be used as a
customer-specific implementation.
13.13.5.2.4 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for Performance Management is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to Performance Management. Details that specifically apply to Performance Management are
described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by Performance Management.
● Network Security
This topic describes the recommended network topology for Performance Management. It shows the
appropriate network segments for the various client and server components and where to use firewalls for
access protection It also includes a list of the ports needed to operate Performance Management.
For more information, see the following sections of the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
13.13.5.2.4.1 Communication Channel Security
The table below shows the communication paths used by Peformance Management, the protocol used for the
connection, and the type of data transferred.
Security Guide for SAP S/4HANA 1709
654 P U B L I C SAP S/4HANA Business ApplicationsTable 394:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
Front-end client with SAP GUI DIAG All application data Passwords and personal data
for Windows for the applica
tion server
Front-end client with a Web HTTP, HTTPS All application data Passwords and personal data
browser for the application
server
Upload document HTTP, HTTPS XML document Personal data
SAP Business Information Extractor program Performance Management
Warehouse (SAP BW) data
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
Printing
Peformance Management provides the options for printing content. For information about security while printing,
see the SNC User''s Guide. You can find this at http://service.sap.com/security by looking under Security in
Detail Infrastructure Security .
13.13.5.2.4.2 Network Security
Ports
Performance Management runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information,
see the topic for AS ABAP Ports in the corresponding SAP NetWeaver Security Guides. For other components, for
example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP
Applications, which is located on the SAP Service Marketplace at http://service.sap.com/ under Products
Database & technology Security Infrastructure Security .
13.13.5.2.5 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For the
Manager and Employee roles in Performance Management, all services with the prefix HAP in the path /
default_host/sap/bc/webdynpro/sap/ are required.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 655● HAP_CONFIGURATION - Configuration
● HAP_DOCUMENT_LINK - Web Dynpro application hap_document_link
● HAP_MAIN_DOCUMENT - Appraisal Document
● HAP_QUALIFICATION_PROFILE - Application for Qualification Profile
● HAP_START_PAGE_POWL_UI_MSS - Web Dynpro application HAP_START_PAGE_POWL_UI_MSS
● HAP_START_PAGE_POWL_UI_ESS - Web Dynpro application HAP_START_PAGE_POWL_UI_ESS
Use the transaction Maintain Services (SICF) to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver documentation in SAP
Library.
For more information about ICF security, see RFC/ICF Security Guide.
13.13.5.2.6 Data Storage Security
HANA
The Performance Management data is saved to the databases of SAP Web Application Server (Web AS) or S/
4HAN Component. You do not need to use any other databases in addition to these standard databases.
Table 395: Performance Management stores the data in the following locations:
Data Storage Location
Appraisal Templates PD infotype tables
Cascaded goals PD infotype tables
Data from appraisal documents HRHAP* tables
Attachments Knowledge Provider (KPro)
Download PDF File system of client
13.13.5.2.7 Other Security-Relevant Information
Access to attachments via Microsoft Internet Explorer
You use Microsoft Internet Explorer and want to display attachments in the browser. To do this, Microsoft Internet
Explorer checks the content of the attachment to determine the file type and display the attachment correctly
( MIME Type Sniffing). In the worst case, it is thus possible that damaging files of an undesired file type are
displayed in the browser or cause damage in another way. To avoid this potential threat to security, deselect
MIME Type Sniffing in the security settings of Microsoft Internet Explorer.
Security Guide for SAP S/4HANA 1709
656 P U B L I C SAP S/4HANA Business Applications13.13.5.2.8 Security-Relevant Logging and Tracing
Performance Management uses logging and tracing mechanisms from SAP NetWeaver in the appraisal
document. These mechanisms are described in detail under Auditing and Logging.
You can specify the following in the appraisal template:
● Do you want data to be logged?
● The specificity of logging of access to appraisal documents
● The specificity of loggingn of changes to appraisal documents
Changes to appraisal templates are logged using change documents.
13.13.5.3 Talent Management and Talent Development
About This Chapter
This chapter of the Security Guide provides an overview of the security-relevant information for Talent
Management and Talent Development (PA-TM).
Overview of the Main Sections of This Chapter
The following sections contain the security-relevant information that is specific to Talent Management and Talent
Development:
● Important SAP Notes
This section lists the most important SAP Notes with regard to the security of Talent Management.
● Authorizations
This section provides an overview of the authorization concept used for Talent Management.
● Network and communication security
This section provides an overview of the following aspects:
○ Communication Channel Security
○ Communication Destinations
● Internet Communication Framework Security
This section provides an overview of the services for the Internet Communication Framework (ICF) used by
Talent Management.
● Data Storage Security
This section provides an overview of the critical data used by Talent Management, as well as the security
mechanisms used.
● Security for Third-Party or Additional Applications
This section contains security information that applies to third-party or additional applications that are
implemented together with Talent Management.
● Other Security-Relevant Information
This section contains information on uploading and displaying attachments.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 65713.13.5.3.1 Authorizations
Use
Talent Management uses the following authorization concepts:
● SAP NetWeaver authorization concept that is based on assigning authorizations to users based on roles
For this purpose, the roles mentioned under Standard Roles are available as a template. You can copy the
standard roles to the customer namespace and adjust them to suit your requirements. You use the profile
generator (transaction PFCG) to maintain roles.
● HR-specific concept for the structural authorization check
For this purpose, the authorization profiles mentioned under Standard Roles are available as a template. You
can use the authorization profiles as an example for creating your own authorization profiles and then assign
these profiles to the relevant users.
For more information about the authorization profiles, see Customizing for Talent Management and Talent
Development and choose Basic Settings Authorizations in Talent Management Define Structural
Authorizations
For more information about the structural authorization check, see section Structural Authorization Check
(see SAP Library for S/4HANA and choose Human Resources HR Tools Authorizations for Human
Resources ).
Role and Authorization Concept for Talent Management
Standard Roles
The table below shows the standard roles and structural authorization profiles that can be used for Talent
Management.
Table 396: Standard Roles and Structural Authorization Profiles
Role Description Structural Authorization Profile
SAP_SR_TMC_TMS_6 Authorizations for talent management Talent Management Specialist:
specialists and talent management su TMS_PROFILE
perusers (see Talent Management
Talent Management Superuser:
Specialist under Single Roles in Talent TMS_ALL
Management)
SAP_SR_TMC_MANAGER_6 Authorizations for managers with regard TMS_MAN_PROF
to Talent Management activities (see
Manager in Talent Management under
Single Roles in Talent Management)
Security Guide for SAP S/4HANA 1709
658 P U B L I C SAP S/4HANA Business ApplicationsRole Description Structural Authorization Profile
SAP_SR_TMC_EMPLOYEE_6 Authorizations for employees with re None
gard to Talent Management activities
(see Employee in Talent Management
under Single Roles in Talent
Management)
For the documentation for the standard roles, see SAP Library for S/4HANA and choose Human Resources
Talent Management Talent Management and Talent Development Roles in Talent Management Single Roles
in Talent Management .
The table below shows the roles that we recommend you no longer use.
Table 397: Roles No Longer Recommended for Use
Role Description Note
SAP_TMC_TALENT_MANA_SPECIALIST Authorizations for talent management This role is obsolete and was replaced by
specialists (see Talent Management the role SAP_SR_TMC_TMS_6.
Specialist under Single Roles in Talent
Management)
SAP_TMC_SUPER_TALENT_MANA_SPEC Authorizations for talent management This role is obsolete and was replaced by
superusers (see Talent Management the role SAP_SR_TMC_TMS_6.
Superuser under Obsolete Single Roles in
Talent Management)
SAP_TMC_MANAGER Authorizations for managers with regard We recommend that you use the role
to Talent Management activities (see SAP_SR_TMC_MANAGER_6 instead of this
Manager in Talent Management under role.
Single Roles in Talent Management)
SAP_TMC_EMPLOYEE Authorizations for employees with re This role is obsolete and was replaced by
gard to Talent Management activities the role SAP_SR_TMC_EMPLOYEE_6.
(see Single Roles in Talent Management)
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by Talent Management.
Table 398: Standard Authorization Objects
Authorization Object Description More Information
B_BUPA_RLT Authorizations for business partner Security Guide for SAP NetWeaver Ap
roles plication Server for ABAP under SAP
Business Partner Secuirty
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 659Authorization Object Description More Information
CA_POWL Authorizations for the personal object SAP Library for S/4HANA under
worklist (POWL) Cross-Application Functions in SAP
ERP Cross-Application Components
Personal Worklist in the section Assign
Authorizations (Standard POWL)
S_RFC Authorization check upon RFC access SAP NetWeaver Security Guide for Re
mote Function Call (RFC) and Internet
Communication Framework (ICF) under
Authorization Object S_RFC
S_WFAR_OBJ ArchiveLink: Authorizations for access SAP NetWeaver Library under SAP
ing documents
NetWeaver by Key Capability
Application Platform by Key Capability
ArchiveLink in the section Authoriza
tions
PLOG Authorization object that checks the au SAP Library for S/4HANA under PLOG
thorization for certain fields of Personnel (Personnel Planning)
Planning components (Organizational
Management, Personnel Development,
Training and Event Management, and so
on)
P_HAP_DOC Authorization object that controls a us SAP Library for S/4HANA under
er''s access to appraisal templates P_HAP_DOC (Appraisal Systems:
Appraisal)
P_ORGIN Authorization object used to check the SAP Library for S/4HANA under
authorization for accessing HR infotypes P_ORGIN (HR: Master Data)
P_TCODE Authorization object used to check SAP Library for S/4HANA under
whether a user is authorized to start var P_TCODE (HR: Transaction Code)
ious HR transactions
P_PERNR Authorization object used if different au SAP Library for S/4HAAN under
thorizations are to be assigned for ac P_PERNR (HR: Master Data - Personnel
cessing a user''s personnel number Number Check)
For the documentation for the authorization objects PLOG, P_HAP_DOC, P_ORGIN, P_TCODE, and P_PERNR, see
SAP Library for S/4HANA and choose Human Resources HR Tools Authorizations for Human Resources
Technical Aspects Authorization Objects .
Critical Combinations
● Talent Review Meetings
Security Guide for SAP S/4HANA 1709
660 P U B L I C SAP S/4HANA Business Applications○ All users that have access to the personal object worklist (POWL) for talent review meetings may create
talent review meetings.
Note
In the standard SAP system, the POWL for talent review meetings is contained in the roles for talent
management specialists for SAP Enterprise Portal and SAP Business Client.
○ Users have display and change authorization for all talent review meetings to which they are assigned as
members of the support team. The POWL for talent review meetings provides users with a list of talent
review meetings, which they can display and edit.
Caution
All members of the support team for a talent review meeting have unrestricted access to all
information available within this talent review meeting (for example, to all assigned managers and
talents, and their profiles). When this information is accessed, there is no additional authorization
check within the talent review meeting.
○ Those users that have display or change authorization for the related infotype record of the Object
infotype (1000) also have display or change authorization for a talent review meeting. The infotype record
is identified by the RM (Talent Review Meeting) object type and the ID of the talent review meeting. Users
that have display authorization for this infotype record can call the talent review meeting in display mode.
Users with change authorization for this infotype record can call the talent review meeting in change
mode.
● Talent Search
○ To be able to use the search, a user must be a talent management specialist with an assigned area of
responsibility. This means that there must be a relationship 741 (Is Responsible For/Is in Area of
Responsibility Of) between the user''s central person (object type CP) and at least one organizational unit
(object type O).
○ In Customizing, for the search fields that you want to use as search criteria, enter the infotype and the
object type, if required, to define which authorization object is used for the authorization check. These
settings specify whether this field is available to a user for selection in the search template and in the
search results.
Example
The user wants to use the talent group as a search criterion and search for all talents that are assigned
to a particular talent group. Therefore, the system checks whether the user has display authorization
for relationship 743 (Has Talent For/Comprises Talent) between the object types CP (Central Person)
and TB (Talent Group). To do so, it checks the authorization for the corresponding subtype of the
infotype Relationships (1001).
For more information, see Customizing for Talent Management and Talent Development and choose
Basic Settings Search Define Search Requests and Search Field Names .
○ In the search results, the system displays only the objects for which the user has authorization through
the authorization object PLOG as well as the corresponding structural authorization. For the object type
CP, the system also checks whether the user has display authorization for the infotype Organizational
Assignment (0001).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 661Note
If more than one person (object type P) is assigned to a central person (CP) (for example, employees in
concurrent employment), it is sufficient for the talent search if the user has display authorization for
one of these persons.
Additional Functions
You can deactivate specific authorization checks that are performed in the standard SAP system when assigning
employees (object type CP (Central Person)) to positions, job families, and talent groups. In the standard SAP
system, when such relationships are created, the system checks whether the user (in this case, the talent
management specialist) has the following authorizations:
● For assigning employees to positions:
Authorizations for
○ Employee (object type CP)
○ Position (object type S)
○ Relationship 740 (Is Successor Of)
● For assigning employees to job families:
Authorizations for
○ Employee (object type CP)
○ Job family (object type JF)
○ Relationship 744 (Has Potential For)
● For assigning employees to talent groups:
Authorizations for
○ Employee (object type CP)
○ Talent group (object type TB)
○ Relationship 743 (Has Talent For)
So that a talent management specialist is also able to create these relationships for employees (object type CP)
for which he or she does not usually have change authorization (because of his or her structural authorization
profile), the authorization check can be deactivated for employees for the respective employee assignment. The
talent management specialist then only needs the change authorization for the object (of the object type Position,
Job Family, or Talent Group) to which he or she wants to assign the employee, and for the relationship.
For more information, see Customizing for Talent Management and Talent Development and choose Basic
Settings Authorizations in Talent Management Deactivate Authorization Check When Assigning Employees .
13.13.5.3.2 Communication Channel Security
The table below shows the communication paths used by Talent Management, the protocol used for the
connection, and the type of data transferred.
Security Guide for SAP S/4HANA 1709
662 P U B L I C SAP S/4HANA Business ApplicationsTable 399:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Front-end client with SAP GUI DIAG Customizing data Passwords
for Windows for the applica
tion server
Front-end client with a Web HTTP(S) Application data Passwords, personal data
browser for the application
server
Front-end client with an SAP HTTP(S) Application data Passwords, personal data
Business Client for the appli
cation server
Connection of PDF-based HTTP(S) Person-related data (such as
print forms to the archive an employee''s photo)
SAP Business Information Extractor program HR master data, organiza
Warehouse (SAP BW) tional data, Talent Manage
ment data
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
Note
If you convert the protocol from HTTP to HTTPS and implement PDF-based print forms, see SAP Note 1461447
.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
13.13.5.3.3 Communication Destinations
The table below shows an overview of the communication destinations used by Talent Management.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 663Table 400: Communication Destinations
Destination Delivered Type Users, Authorizations Description
Access to external ap Yes RFCs of the function The following roles re The function group
plications for Talent group quire authorization for HRTMC_SERVICES con
Management HRTMC_SERVICES the authorization ob tains the Remote Func
ject S_RFC to have ac tion Calls for external
cess to external appli applications that can
cations: be used for Succession
● SAP_TMC_TALENT Planning, for example
_MANA_SPECIALI
ST
● SAP_TMC_SUPER_
TALENT_MANA_SP
EC
● SAP_TMC_MANAGE
R
Transfer of talent Yes RFCs of the function To run the report The function group
groups and successor group RPTMC_MIGRATE_SUCC HRSCP_MIGRATION
assignments from SAP HRSCP_MIGRATION ESSIONS or contains the Remote
E-Recruiting to Talent RPTMC_MIGRATE_TALE Function Calls for
Management NT_GROUPS, a user re transferring talent
quires authorization for groups and successor
the authorization ob assignments from SAP
ject S_RFC E-Recruiting to Talent
Management
Transfer of entries Yes RFCs of the function To run the report The function group
from the candidate pro group HRSCP_TP_SYNC HRSCP_TP_SYNC_GET_ HRSCP_TP_SYNC con
file in SAP E-Recruiting EDU_WE_INFO, a user tains the Remote Func
to the talent profile in requires authorization tion Calls for synchro
Talent Management for the authorization nizing the talent profile
object S_RFC in Talent Management
with the candidate pro
file in SAP E-Recruiting
Jump from queries in Yes RFC for transferring the The user requires au
SAP Business Informa MEM_ID from the BW thorization for the au
tion Warehouse (SAP system to the ERP sys thorization object
BW) to the talent pro tem S_RFC
file
Security Guide for SAP S/4HANA 1709
664 P U B L I C SAP S/4HANA Business ApplicationsThe table below shows the function modules that the reports use to transfer data to Talent Management:
Table 401: Function Modules for Transferring Data to Talent Management
Function Group Function Module Used by Report
HRSCP_MIGRATION HRSCP_MIG_SCP_GET_ALL Transfer Successor Assignments to
Talent Management
( RPTMC_MIGRATE_SUCCESSIONS)
HRSCP_MIGRATION HRSCP_MIG_TG_GET_ALL Transfer Talent Groups from E-
Recruiting to Talent Management
( RPTMC_MIGRATE_TALENT_GROUPS)
HRSCP_MIGRATION HRSCP_MIG_TG_GET_DETAILS Transfer Talent Groups from E-
Recruiting to Talent Management
( RPTMC_MIGRATE_TALENT_GROUPS)
HRSCP_MIGRATION HRSCP_MIG_TG_GET_TALENTS Transfer Talent Groups from E-
Recruiting to Talent Management
( RPTMC_MIGRATE_TALENT_GROUPS)
HRSCP_TP_SYNC HRSCP_TP_SYNC_GET_EDU_WE_INFO Synchronization of Talent Profile with
Candidate Profile
( RPTMC_TP_SYNC_EDU_WE_RCF)
13.13.5.3.4 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For Talent
Management the following services are needed:
● Talent Management Specialist
○ default_host/sap/bc/webdynpro/sap/HRTMC_EMPLOYEE_PROFILE
○ default_host/sap/bc/webdynpro/sap/HRTMC_LONG_PROFILE
○ default_host/sap/bc/webdynpro/sap/hrtmc_rm_maintenance
○ default_host/sap/bc/webdynpro/sap/hrtmc_rm_presentation
○ default_host/sap/bc/webdynpro/sap/hrtmc_search
○ default_host/sap/bc/webdynpro/sap/hrtmc_side_by_side
○ default_host/sap/bc/webdynpro/sap/hrtmc_talent_group
○ default_host/sap/bc/webdynpro/sap/HRTMC_TA_DEV_PLAN
● Manager
○ default_host/sap/bc/webdynpro/sap/HRTMC_EMPLOYEE_PROFILE
○ default_host/sap/bc/webdynpro/sap/HRTMC_LONG_PROFILE
○ default_host/sap/bc/webdynpro/sap/hrtmc_side_by_side
○ default_host/sap/bc/webdynpro/sap/hrtmc_talent_group
○ default_host/sap/bc/webdynpro/sap/HRTMC_TA_ASSESSMENT
○ default_host/sap/bc/webdynpro/sap/HRTMC_TA_DASHBOARD
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 665○ default_host/sap/bc/webdynpro/sap/HRTMC_TA_DEV_PLAN
○ default_host/sap/bc/webdynpro/sap/hrtmc_teamviewer
● Employee
default_host/sap/bc/webdynpro/sap/HRTMC_EMPLOYEE_PROFILE
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly. For more information, see Activating and Deactivating ICF Services.
For more information about Internet Communication Framework security, see RFC/ICF Security Guide.
13.13.5.3.5 Data Storage Security
Data Storage
The Talent Management data is stored in the SAP NetWeaver Application Server or S/4HANA databases. You do
not need to use any other databases in addition to these standard databases.
Talent Management stores the data in the following locations:
Table 402: Data and Storage Locations
Data Storage Location
Master data, talent assessments HR infotype tables
Attachments, comments, calibration grid icon Knowledge Provider (KPro)
Business partner master data Business partner database
Employee photo ArchiveLink
Cookies
The application uses a Web browser. SAP NetWeaver Application Server must set and accept cookies.
13.13.5.3.6 Security for Additional Applications
You can implement Talent Management together with the product SAP Talent Visualization by Nakisa. SAP Talent
Visualization by Nakisa provides users with a graphical and organization-oriented view of Succession Planning and
the job architecture.
Note
Note that you need to purchase your own license for using the product SAP Talent Visualization by Nakisa.
Security Guide for SAP S/4HANA 1709
666 P U B L I C SAP S/4HANA Business ApplicationsIf you implement SAP Talent Visualization by Nakisa, the roles for the talent management specialist, the talent
management superuser, and the manager need the authorization for the authorization object S_RFC to be able to
access applications that call the HRTMC_SERVICES function group. This function group comprises the Remote
Function Calls (RFCs) for external applications such as SAP Talent Visualization by Nakisa. This authorization is
contained in the standard Talent Management roles. For more information about the standard roles, see
sectionAuthorizations under Talent Management and Talent Development.
For information about the security of SAP Talent Visualization by Nakisa, see the documentation for this product.
The documentation is located on SAP Service Marketplace at http://service.sap.com/instguides SAP
Solution Extensions SAP Talent / Org Visualization by Nakisa .
13.13.5.3.7 Other Security-Relevant Information
Uploading and Displaying Attachments
Uploading Attachments
Talent Management uses the virus scan interface of SAP NetWeaver. You can use this interface to include
external virus scanners to increase the security of your system.
For Talent Management, the virus scan profile /HCM_TMC/DOCUMENT_UPLOAD is available for checking that files
or documents uploaded as attachments do not contain any viruses. This virus scan profile is not active in the
standard SAP system. To activate the virus scan profile, in Customizing for Talent Management and Talent
Development, make the settings under Basic Settings Attachments Define Virus Scan Profiles . In
Customizing for SAP NetWeaver under Application Server System Administration Virus Scan Interface ,
you need to first set up the virus scan interface.
For more information about the virus scan interface, see SAP NetWeaver Library and choose SAP NetWeaver
by Key Capability Security System Security , and the Virus Scan Interface section.
You can also limit the size of files that are uploaded as attachments. To do so, in Customizing for Talent
Management and Talent Development, make the settings under Basic Settings Attachments Assign
Storage Locations and Maximum File Size .
Displaying Attachments Using Microsoft Internet Explorer
If you display attachments in a browser and use Microsoft Internet Explorer for this, Microsoft Internet Explorer
checks the content of the attachment to determine the file type and display the attachment correctly based on the
type (MIME Type Sniffing). In the worst case, it is thus possible that damaging files of an undesired file type are
displayed in the browser or cause damage in another way. To avoid this potential threat to security, deselect
MIME Type Sniffing in the security settings of Microsoft Internet Explorer.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 66713.13.5.4 Enterprise Compensation Management
About This Chapter
This chapter of the Security Guide provides an overview of the security-relevant information for the Enterprise
Compensation Management (PA-EC) application component.
Overview of the Main Sections of This Chapter
The following sections contain the security-relevant information that is specific to “Enterprise Compensation
Management”:
● Important SAP Notes
This section lists the most important SAP Notes with regard to the security of Enterprise Compensation
Management.
● Security Aspects for Data, Data Flow, and Processes
This section provides an overview of the security aspects of the most frequently used processes in Enterprise
Compensation Management.
● Authorizations
This section provides an overview of the authorization concept used for Enterprise Compensation
Management.
● Communication Channel Security
This section describes the communication paths and logs that Enterprise Compensation Management uses.
● Internet Communication Framework Security
This section provides an overview of the services for the Internet Communication Framework (ICF) used by
Enterprise Compensation Management.
● Data Storage Security
This section provides an overview of all critical data used by Enterprise Compensation Management, as well
as the security mechanisms used.
● Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information and that
enable you to reproduce activities, for example, if there is a security violation.
13.13.5.4.1 Security Aspects for Data, Data Flow, and
Processes
Enterprise Compensation Management uses applications based on the following technology:
Role: Manager
● Web Dynpro for ABAP in the applications in Manager Self-Service
● Interactive forms based on Adobe software (Interactive forms) in the Total Compensation Statement and
Compensation Review Statement applications.
For more information, see the guide for SAP Interactive Forms by Adobe under SAP Interactive Forms by
Adobe Security Guide.
Security Guide for SAP S/4HANA 1709
668 P U B L I C SAP S/4HANA Business ApplicationsFor more information about the Manager role, see the S/4HANA Security Guide and choose the following
path: Self-Services Manager Self-Service .
Role: Employee
● Web Dynpro for ABAP in the applications in Employee Self-Service
● Interactive forms based on Adobe software (Interactive forms) in the Total Compensation Statement
application.
For more information, see the guide for SAP Interactive Forms by Adobe under SAP Interactive Forms by
Adobe Security Guide.
For more information about the Employee role, see the S/4HANA Security Guide and choose the following
path: Self-Services Employee Self-Service .
Role: Administrator
● SAP Graphical User Interface (SAP GUI) in Customizing for Enterprise Compensation Management and
administrative reports.
● Business Server Page (BSP) in the Top-Down Budgeting functions
During compensation planning, Enterprise Compensation Management sends e-mails via workflow. For
information about workflow and sending e-mails, see Customizing for Enterprise Compensation Management and
choose Compensation Administration Workflow Settings .
For more information about the settings, see Customizing for Enterprise Compensation Management.
13.13.5.4.2 Authorizations
Use
Enterprise Compensation Management uses the following authorization concepts:
● SAP NetWeaver authorization concept that is based on assigning authorizations to users based on roles
For this, the roles mentioned under “Standard Roles” are available as a template. You can copy the standard
roles to the customer namespace and adjust them to suit your requirements. For role maintenance you use
the profile generator (transaction PFCG).
● HR-specific concept for the general and structural authorization check
For more information about the authorization checks, see General Authorization Check and Structural
Authorization Check (see SAP Library for S/4HANA and choose Human Resources HR Tools
Authorizations for Human Resources ).
Roles and Authorization Concept for Enterprise Compensation Management
Standard Roles
Enterprise Compensation Management does not provide its own standard roles. It uses roles from Manager Self-
Service and Employee Self-Service.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 669For more information, see the following:
● Authorizations in Manager Self-Service.
● Authorizations in Employee Self-Service.
Standard Authorization Objects
Enterprise Compensation Management uses the same standard authorization objects as all of Human Resources.
For more information about the standard authorization objects in Human Resources, see Authorizations. To do
this, choose S/4HANA Security Guide for Human Resources Authorizations .
13.13.5.4.3 Communication Channel Security
The following table shows the communication paths that Enterprise Compensation Management uses, the
protocol used for the connection, and the type of data transferred.
Table 403:
Communication Paths Protocol Used Type of Data Transferred Data Requiring Particular
Protection
Front-end client that uses DIAG All Customizing data Passwords
SAP GUI for Windows as the
application server
Front-end client that uses a HTTP, HTTPS All application data Passwords, personal data
Web browser as the applica
tion server Note
We generally recommend
using HTTPS
SAP Business Information Extractor program HR master data, organiza
Warehouse (SAP BW) tional data, Enterprise Com
pensation Management data
You can use Secure Network Communications (SNC) to protect DIAG and RFC connections. The Secure Sockets
Layer protocol (SSL protocol) protects HTTP connections.
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC) where possible.
For more information, see the SAP NetWeaver Security Guide under Transport Layer Security.
Printing
Enterprise Compesation Management provides a number of options for printing content. For information about
security while printing, see the SNC User''s Guide. You can find this at http://service.sap.com/security by
looking under Security in Detail Infrastructure Security .
Security Guide for SAP S/4HANA 1709
670 P U B L I C SAP S/4HANA Business Applications13.13.5.4.4 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For the
Manager role in Enterprise Compensation Management, all services with the prefix HCM_ECM in the path /
default_host/sap/bc/webdynpro/sap/ are required.
● HCM_ECM_PLANNING_OVERVIEW_OIF - Compensation Planning Overview
● HCM_ECM_PLANNING_UI_GAF - Planning User Interface
● HCM_ECM_PROFILE_OIF - Compensation Profile
● HCM_ECM_SIDEBYSIDE_OIF - Side-by-Side Comparison
● HCM_ECM_TEAMVIEWER_OIF - Compensation Profile Team Overview
The Administrator role, the services with the prefix HRECM_BDG in the path /default_host/sap/bc/bsp are
only required if you use top-down budgeting for compensation planning.
● HRECM_BDG_CHKRL - Check and Release Budget
● HRECM_BDG_MAINT - Budget Maintenance
● HRECM_BDG_RA_VL - Reassign Budget Value
● HRECM_BDG_SRV - Budgeting Services
● HRECM_BSG_SRV02 - Budget Structure Services
● HRECM_BDG_START - Overview
Use the transaction Maintain Services (SICF) to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver documentation in SAP
Library.
For more information about ICF security, see RFC/ICF Secuirty Guide.
13.13.5.4.5 Data Storage Security
All data for Enterprise Compensation Management is stored in the database of the SAP system. The data is stored
in the Personnel Administration (PA) and Budget Management(PA-PM) application components as well as in the
database tables that govern the processes of Enterprise Compensation Management.
The applications in Enterprise Compensation Management store sensitive, personal data for compensation
planning. The data saved when managing the processes of Enterprise Compensation Management can be deleted
after the compensation review using the report Delete Compensation Planning History Data
(RHECM_DELETE_HISTORY_DATA).
For information about data storage security, see the SAP NetWeaver Security Guide at https://help.sap.com/nw
Release/Language SAP NetWeaver Library Administrator''s Guide SAP NetWeaver Security Guide
Security Guides for the Operating System and Database Platforms .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 67113.13.5.4.6 Security-Relevant Logging and Tracing
Enterprise Compensation Management uses logging and tracing mechanisms from SAP NetWeaver. These
mechanisms are described in detail under Auditing and Logging.
Changes to data in Enterprise Compensation Management that are made within the applications of Enterprise
Compensation Management are logged by the SAP system. The data can be checked with the following reports:
● Display Compensation Planning Changes (RHECM_DISPLAY_CHANGES)
● Display Compensation Planning Progress (RHECM_DISPLAY_PROGRESS)
13.13.6 Time and Attendance Management
13.13.6.1 Personnel Time Management (PT)
Introduction
Note
This guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants
● System administrators
This document is not included as part of the installation guides, configuration guides, technical operation
manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software lifecycle, whereas
the security guides provide information that is relevant for all lifecycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise to the SAP Personnel Time Management. To assist you in securing the
SAP Personnel Time Management, we provide this security guide.
Security Guide for SAP S/4HANA 1709
672 P U B L I C SAP S/4HANA Business ApplicationsAbout this Document
This security guide provides an overview of the security-relevant information that applies to the SAP Personnel
Time Management.
Overview of the Main Sections
The security guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this document, and references
to other security guides that build the foundation for this security guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the
SAP Personnel Time Management.
● Security Aspects of Data, Data Flow, and Processes
This section provides an overview of security aspects involved throughout the most widely used processes
within the SAP Personnel Time Management.
● Authorizations
This section provides an overview of the authorization concept that applies to the SAP Personnel Time
Management.
● Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or
plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication Security
This section provides an overview of the communication paths used by the SAP Personnel Time Management
and the security mechanisms that apply. It also includes our recommendations for the network topology to
restrict access at the network level.
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
the SAP Personnel Time Management.
● Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.
13.13.6.1.1 Before You Start
The SAP Personnel Time Management is built using the HR backend system, CRM backend system and SAP
NetWeaver components. Therefore, the corresponding security guides also apply to the SAP Personnel Time
Management.
For a complete list of the available SAP security guides, see SAP Service Marketplace at http://
service.sap.com/securityguide.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 673Important SAP Notes
The most important SAP Notes that apply to the security of the SAP Personnel Time Management are shown in
the table below.
Table 404:
Title SAP Note Comment
Authorization objects of shift planning 496993
Transaction authorization PA61 for shift 500844
planning
PP61: Changeability of ''*'' 1290365
eSOA HCM: Security, Interval Correc 1230915
tions for Leave
ESS MSS LEA: Data anonymization de 1165170
spite authorization
Setting up the HR-PDC interface 647145
For a list of additional security-relevant SAP News and SAP Notes, see also SAP Service Marketplace at http://
service.sap.com/securitynotes.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Table 405:
Content Quick Link on SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
Security Guide for SAP S/4HANA 1709
674 P U B L I C SAP S/4HANA Business ApplicationsSAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver
13.13.6.1.2 User Management
Use
User management in SAP Personnel Time Management uses the mechanisms provided with the SAP NetWeaver
Application Server for ABAP, for example, tools, user types, and password policies. For an overview of how these
mechanisms apply for SAP Personnel Time Management, see the sections below. In addition, we provide a list of
the standard users required for operating the SAP Personnel Time Management.
User Administration Tools
The table below shows the tools to use for user management and user administration with SAP Personnel Time
Management.
User Management Tools
Table 406:
Tool Detailed Description Prerequisites
User and role maintenance with SAP For more information, see User and Role
NetWeaver AS for ABAP (Transactions Administration of AS ABAP.
SU01, PFCG)
User Types
It is necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively must change their passwords on a regular basis, but
not users who run background processing jobs.
The specific user types that are required for the SAP Personnel Time Management include:
Technical users
● To upload time events from the external time recording system you use the RPTCC106 report ( HR-PDC:
Download Upload Request for Time Events). You normally schedule the report as a background processing
job. For this you require a technical user. The authorizations of the technical user should be based on the
authorizations for the PT80 transaction ( Subsystem Connection). Time events are uploaded from the
subsystem by an IDOC, which stores the time events in the CC1TEV interface table. For the upload, you need a
technical user with authorizations for communication with an SAP system using Application Link Enabling
(ALE) and the relevant table authorizations. The technical user does not require authorizations specific to the
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 675SAP HR solution. You need a technical user with authorizations for the PT45 transaction ( HR-PDC: Post
Person Time Events) for the background processing job that transfers the time events from the interface table
to the relevant Time Management tables.
● You need two types of technical users for BAPIs that store data in one of the following interface tables:
○ PTEXDIR
○ PTEX2000
○ PTEX2003
○ PTEX2010
To fill the interface tables, you need a user with authorizations for ALE communication with an SAP system and
the relevant table authorizations. For the subsequent background processing job to transfer data from the
interface tables to the infotype database tables, you need a technical user with the same authorizations that are
required for the CAT6 transaction ( Transfer Time Data to Time Management).
● For technical users that have read access to the infotypes for the BAPIs, you can use the same authorizations
as contained in the SAP_HR_PT_TIMEADMINISTRATOR role.
13.13.6.1.3 Authorizations
Use
The SAP Personnel Time Management component uses the authorization concept provided by SAP NetWeaver
AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver
AS Security Guide ABAP also apply to SAP Personnel Time Management.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the ABAP.
For more information about how to create roles, see Role Administration under Role and Authorization Concept for
SAP Personnel Time Management.
Standard Roles
The table below shows the standard roles that are used by the SAP Personnel Time Management.
Table 407:
Role Description
SAP_HR_PT_SHIFT-PLANNER Shift Planner
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator
SAP_HR_PT_TIME-LABOR-ANALYST Time and Labor Analyst
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor
SAP_ESSUSER_ERP05 Employee Self-Service
Security Guide for SAP S/4HANA 1709
676 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_HR_PT_US_PS_TIME-ADM Time Recording Administrator
This role is used only in the Public Sector in the country ver
sion for the USA
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP Personnel Time
Management.
Table 408:
Authorization Object Field Value Description
P_PERNR AUTHC E, R Used to assign different au
thorizations to users for ac
cessing their own personnel
number. P_PERNR is relevant
for Self-Service Scenarios
(Role SAP_EMPLOYEE)
P_PERNR INFTY 0000, 0001, 0002, 0007, Infotypes required
0416, 2001, 2002, 2003,
2004, 2005, 2006, 2007,
2010, 2011, 2012, 2013
P_ORGIN AUTHC E, R Used during the authorization
check for HR infotypes.
P_ORGIN INFTY 0000, 0001, 0002, 0007, Infotypes required
0416, 2001, 2002, 2003,
2004, 2005, 2006, 2007,
2010, 2011, 2012, 2013
P_PCLX AUTHC W, R Relevant for both Time Evalu
ation and Time Recording.
P_PCLX RELID B1, B2, L1, G1, PC Clusters required
13.13.6.1.4 Data Storage Security
Archiving Objects and Reports
The following tools and reports are available for archiving data:
● Archiving Object: PA_TIME (Time Evaluation Results from Cluster B2)
● Data Writing Report: RPAR5W00
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 677● Data Deletion Report: RPAR5D00
Archiving is done using transactions PU22 and SARA respectively.
Data Deletion Reports
The following tools and reports are available for deleting data:
RPTEXTPT: Using the DELETE option deletes the data already transferred (stored in PA-tables) from the following
interface tables:
● PTEX2000
● PTEX2010
● PTEX2003GEN
● PTEX2003SPEC
RPWI4100: Reorganizes interface table LSHR (Integration to Logistics).
Using Logical Paths and File Names to Protect Access to the File System
Personnel Time Management saves data in files in the local file system. Therefore, it is important to assign explicit
access to the corresponding files in the file system without access to other directories or files (also called
directory traversal). This is achieved by entering logical paths and file names in the system that are assigned to
the physical paths and file names. This assignment is validated at runtime. If access to a directory is requested
that does not correspond to a stored assignment, an error occurs.
The following lists show the logical file names and paths that are used by Personnel Time Management, and the
reports for which these file names and paths are valid. The logical file names and logical file paths were created
using transaction FILE to facilitate the validation of physical file names.
Table 409: Logical File Names and Path Names Used in Personnel Time Management
Logical File Name Reports That Use These Logical File Logical File Path
Names
HR_XX_DIR_RPTEDO00 RPTEDO00 HR_XX_DIR_RPTEDO00
HR_XX_DIR_RPTEUP00 RPTEUP00 HR_XX_DIR_RPTEUP00
HR_XX_DIR_RPTEUP10 RPTEUP10 HR_XX_DIR_RPTEUP10
HR_XX_DIR_RPTEZL00 RPTEZL00 HR_XX_DIR_RPTEZL00
HR_XX_DIR_RPTX2010 RPTX2010 HR_XX_DIR_RPTX2010
HR_XX_DIR_RPWI0000 RPWI0000 HR_XX_DIR_RPWI0000
Security Guide for SAP S/4HANA 1709
678 P U B L I C SAP S/4HANA Business Applications13.13.6.2 Cross-Application Time Sheet (CA-TS)
13.13.6.2.1 User Administration and Authentication
The Cross-Application Time Sheet (CA-TS) uses the user management and authentication mechanisms provided
with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server for ABAP. Therefore, the
security recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Application Server for ABAP also apply to the Cross-Application Time Sheet (CA-TS) In addition to
these guidelines, we include information about user administration and authentication that specifically applies to
the Cross-Application Time Sheet (CA-TS) in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with the Cross-Application Time Sheet (CA-TS).
● Integration into Single Sign-On Environments
This topic describes how the Cross-Application Time Sheet (CA-TS) supports Single Sign-On mechanisms.
13.13.6.2.1.1 User Management
User management for the Cross-Application Time Sheet (CA-TS) uses the mechanisms provided with the SAP
NetWeaver Application Server for ABAP, for example, tools, user types, and password policies. For an overview of
how these mechanisms apply for the Cross-Application Time Sheet (CA-TS), see the sections below.
User Administration Tools
The table below shows the tools to use for user management and user administration with the Cross-Application
Time Sheet (CA-TS).
Table 410: User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction You can use the Role Maintenance trans
PFCG) action PFCG to generate profiles for the
Cross-Application Time Sheet (CA-TS)
users.
For more information, see User and Role
Administration of AS ABAP.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 679Tool Detailed Description Prerequisites
Technical Settings for User Management For more information on user profiles
in Cross-Application Time Sheet (CA- and the roles, see Customizing for Time
TS) Sheet under Settings for All User
Interfaces Authorizations .
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
The user types that are required for the Cross-Application Time Sheet (CA-TS) include:
● Individual users:
○ Dialog users are used to maintain, release, and approve working times. They are used for SAPGUI and WD
ABAP Frontends
● Technical users:
○ System User: Background processing and communication within a system (such as RFC users for ALE,
Workflow). They are used for transferring data to target components, to check data remotely, and to
process workflow items.
○ Communication users are used for scenarios in which CATS BAPIs are called from external systems.
For more information on these user types, see User Types under User Authentication in the SAP NetWeaver
Application Server for ABAP Security Guide.
Standard Users
We do not deliver standard users within Cross-Application Time Sheet (CA-TS).
13.13.6.2.1.2 Integration into Single Sign-On Environments
The most widely-used supported mechanisms are listed below. For a complete list, see the link provided below.
● Secure Network Communications (SNC)
SNC is available for user authentication and provides for a single sign-on (SSO) environment when using the
SAP GUI for Windows or Remote Function Calls.
● SAP logon tickets
Cross-Application Time Sheet (CA-TS) supports the use of logon tickets for SSO when using a Web browser
as the frontend client. In this case, users can be issued a logon ticket after they have authenticated
themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external
Security Guide for SAP S/4HANA 1709
680 P U B L I C SAP S/4HANA Business Applicationssystems) as an authentication token. The user does not need to enter a user ID or password for
authentication but can access the system directly after the system has checked the logon ticket.
● Client certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a
frontend client can also provide X.509 client certificates to use for authentication. In this case, user
authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and
no passwords have to be transferred. User authorizations are valid in accordance with the authorization
concept in the SAP system.
● Security Assertion Markup Language (SAML) 2.0
SAML 2.0 provides a standards-based mechanism for SSO. The primary reason to use SAML 2.0 is to enable
SSO across domains.
The Cross-Application Time Sheet (CA-TS) supports the Single Sign-On (SSO) mechanisms provided by SAP
NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication
as described in the SAP NetWeaver Secuirty Guide also apply to the Cross-Application Time Sheet (CA-TS).
For more information about the available authentication mechanisms, see user Authentication and Single Sign-On
in the SAP NetWeaver Library.
13.13.6.2.2 Authorizations
Use
The Cross-Application Time Sheet (CA-TS) uses the authorization concept provided by the SAP NetWeaver AS
for ABAP and AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP
NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to the Cross-
Application Time Sheet (CA-TS).
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine''s
user administration console on the AS Java.
Note
For more information about how to create roles, see section Role Administration under the SAP Library for SAP
S/4 HANA Identity Management.
The following section shows the typical scenarios, the relevant roles and the authorization objects that Cross-
Application Time Sheet (CA-TS) uses. These are:
Enter Working Times in Time Sheet
Approve Working Times
Transfer Working Times to Target Components
Role and Authorization Concept for Cross-Application Time Sheet (CA-TS)
Enter Working Times
Standard Roles
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 681The table below shows the standard roles that are used by the Cross-Application Time Sheet (CA-TS).
Table 411:
Role Description
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator: The Time Administrator role is performed
by employees in the individual departments of a company,
such as secretaries and foremen. Their duties include entering
employees'' documents in the system and reacting to mes
sages from time evaluation.
SAP_EMPLOYEE_WDA_1 (This includes single role SAP_EM Employee Self-Service (WD ABAP): You need this role if you
PLOYEE_XX_ESS_WDA_1 containing authorizations for CATS) want to enable all your company''s employees to record their
working times.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the Cross-Application Time
Sheet (CA-TS).
Table 412:
Authorization Object Field Value Description
P_PERNR AUTHC E, R Used to assign users different
authorizations for accessing
their own personnel number.
P_PERNR is relevant for Self
Service Scenarios (Role
SAP_EMPLOYEE)
P_PERNR INFTY 0000, 0001, 0002, 0007, Needed infotypes
0315, 0316, 2001, 2002,
2003, 2010
P_ORGIN AUTHC E, R Used during the authorization
check for HR infotypes. P_OR
GIN is relevant for Adminis
trator Scenarios (Role
AP_HR_PT_TIME-ADMINIS
TRATOR, SAP_ISR_RE
TAIL_STORE)
P_ORGIN INFTY 0000, 0001, 0002, 0007, Needed infotypes
0315, 0316, 2001, 2002,
2003, 2010
Security Guide for SAP S/4HANA 1709
682 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
P_PCLX AUTHC R Relevant for both Self Service
and Adminstrator Scenarios,
used when attendance/
absence types are recorded
and to display target hours.
P_PCLX RELID B2, PC Needed clusters
Approve Working Times
Standard Roles
The table below shows the standard roles that are used by the Cross-Application Time Sheet (CA-TS).
Table 413:
Role Description
SAP_HR_PT_TIME-SUPERVISOR The Time Supervisor role is performed by executive employ
ees in the individual departments of a company, such as those
with personnel responsibility, department heads, project man
agers, or foremen.
The Time Supervisor plans and approves leave and alterations
to working times. He or she orders overtime as required, and
regularly monitors the amount of overtime worked in the de
partment. He or she checks and approves employees'' activity
reports, and monitors absence times.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the Cross-Application Time
Sheet (CA-TS).
Table 414:
Authorization Object Field Value Description
P_ORGIN AUTHC D, R http://help.sap.com/
erp2005_ehp_02/
helpdata/en/
35/26b181afab52b9e100000
09b38f974/content.htmAu
thorizationobject that is
used during the authorization
check for HR infotypes.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 683Authorization Object Field Value Description
P_ORGIN INFTY 0328, 2001, 2002 Needed infotypes
Transfer Working Times to Target Components
Standard Roles
The table below shows the standard roles that are used by the Cross-Application Time Sheet (CA-TS).
Table 415:
Role Description
SAP_HR_PT_TIME-MGMT-SPECIALIST The time management specialist is responsible for the smooth
operation of the time management system. He or she is famil
iar with the technical side of the SAP System. The time man
agement activities for this role include controlling the transfer
of data to other SAP applications, such as the transfer of data
from the SAP Cross-Application Time Sheet.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the Cross-Application Time
Sheet (CA-TS).
Table 416:
Authorization Object Field Value Description
P_ORGIN No proposal No proposal
P_PERNR No proposal No proposal
PCLX No proposal No proposal
13.13.6.2.3 Session Security Protection
To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Security Guide for SAP S/4HANA 1709
684 P U B L I C SAP S/4HANA Business ApplicationsSession Security Protection on the AS ABAP
To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s)
(SAP_SESSIONID__), activate secure session management. With an existing security session, users
can then start applications that require a user logon without logging on again. When a security session is ended,
the system also ends all applications that are linked to this security session.
Use the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your
AS ABAP system:
Table 417: Session Security Protection Profile Parameters
Profile Parameter Recommended Value Comment
icf/set_HTTPonly_flag_on_cookies 0 Client-Dependent
login/ticket_only_by_https 1 Not Client-Dependent
For more information and detailed instructions, see Activating HTTP Security Session Management on AS ABAP in
the AS ABAP security documentation.
13.13.6.2.4 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system and
application level), or network attacks such as eavesdropping. If users cannot log on to your application or
database servers at the operating system or database layer, there is no way for intruders to compromise the
machines and gain access to the backend system''s database or files. Additionally, if users are not able to connect
to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network
services on the server machines.
The network topology for the Cross-Application Time Sheet (CA-TS) is based on the topology used by the SAP
NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver
Security Guide also apply to the Cross-Application Time Sheet (CA-TS). Details that specifically apply to the
Cross-Application Time Sheet (CA-TS) are described in the following topics:
● Communication Channel Security
This topic describes the communication paths and protocols used by the Cross-Application Time Sheet (CA-
TS).
● Network Security
This topic describes the recommended network topology for the Cross-Application Time Sheet (CA-TS). It
shows the appropriate network segments for the various client and server components, and where to use
firewalls for access protection. It also includes a list of the ports needed to operate the Cross-Application
Time Sheet (CA-TS).
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 685For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Guides for Connectivity and Interoperability Technologies
13.13.6.2.4.1 Communication Channel Security
The table below shows the communication channels used by the Cross-Application Time Sheet (CA-TS), the
protocol used for the connection, and the type of data transferred.
Table 418:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Front-end client that uses DIAG All customizing data, applica Passwords
SAP GUI for Windows for the tion data entered by Non-WD
application server applications
Front-end client that uses a RFC, HTTP(S) Application data entered by Passwords
Web browser for the applica WD applications and Web
We recommend you use
tion server Services
HTTPS.
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol.
Note
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
13.13.6.2.4.2 Network Security
You can operate Cross-Application Time Sheet (CA-TS) in different ways. You can run the Cross-Application Time
Sheet (CA-TS) and the HR system and or cProject system integrated on one system, or on different instances.
Firewall Settings
For more information, see Using Firewall Systems for Access Control in the SAP NetWeaver Security Guide.
For more information, see Using Multiple Network Zones in the SAP NetWeaver Security Guide.
Security Guide for SAP S/4HANA 1709
686 P U B L I C SAP S/4HANA Business ApplicationsPorts
The Cross-Application Time Sheet (CA-TS) runs on SAP NetWeaver and uses the ports from the AS ABAP.
For more information, see the topic for AS ABAP Ports in the corresponding SAP NetWeaver Security Guides.
For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, also see the document
TCP/IP Ports Used by SAP Applications, which is located on the SAP Service Marketplace at http://
service.sap.com/ under Products Database & technology Security Infrastructure Security .
13.13.6.2.4.3 Communication Destinations
Use
The table below shows an overview of the communication destinations used by the Cross-Application Time Sheet
(CA-TS).
Table 419:
Destination Delivered Type User, Authorizations Description
Cross-Application Time No RFC Anonympus dialog user Customizing: Time
Sheet (CA-TS) to Hu specified in connec Sheet → Settings for All
man Resources Man tions between both User
agement systems
Interfaces → Data
Transfer
for Distributed Systems
(ALE)
Cross-Application Time No RFC Anonympus dialog user Customizing: Time
Sheet (CA-TS) to cPro specified in connec Sheet → Settings for All
jects tions between both User Interfaces → Data
systems Transfer
for Distributed Systems
(ALE)
WD Java Frontend to Yes RFC/JCo See Customizing Customizing:
Cross-Application Time Integration with Other
Sheet (CA-TS) SAP Components →
Business Packages /
Functional Packages→
Manager Self Service
(mySAP ERP).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 687Destination Delivered Type User, Authorizations Description
External consumer/ No HTTP(S) and SOAP Specific dialog user Cross-Application Time
external Web UI to messages Sheet (CA-TS) acts as
Cross-Application Time service provider.
Sheet (CA-TS)
13.13.6.2.5 Data Storage Security
The Cross-Application Time Sheet (CA-TS) data is saved in databases of the SAP system as follows:
Table 420:
Data Location
Application Data CATSDB
Attachments and user-defined texts SAPScript storage
Templates CATS_TEMP
Transfer data for HR PTEX2000, PTEX2010, PTEXDIR
Transfer data for CO CATSCO
Transfer data for PS CATSPS
Transfer data for PM CATSPM
Transfer data for MM-SRV CATSMM
Transfer data for cPro DPR_CONF_LI
13.13.6.2.6 Enterprise Services Security
The following chapters in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise
services delivered with Cross-Application Time Sheet (CA-TS):
● Web Services Security
● Recommended WS Security Scenarios
● SAP NetWeaver Process Integration Security Guide
Security Guide for SAP S/4HANA 1709
688 P U B L I C SAP S/4HANA Business Applications13.13.6.2.7 Security-Relevant Logging and Tracing
Cross-Application Time Sheet (CA-TS) relies on the logging and tracing mechanisms from SAP NetWeaver:
● Auditing and Logging
● Tracing and Logging
13.13.6.2.8 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in your SAP
systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified notes, if possible. If you cannot implement the notes, the
report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail
● Security relevant configuration parameters
● Critical users
● Missing security patches
This service is available as a self service within the SAP Solution Manager or as a remote or on-site service. We
recommend you use it regularly (for example, once a year) and in particular after significant system changes or in
preparation of a system audit.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 689Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance to
predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway
configuration or making sure standard users do not have default passwords.
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how
to operate SAP systems and landscapes in secure manner. It guides you through the most important security
operation areas and links to detailed security information from SAP''s knowledge base wherever appropriate.
More Information
For more details on these services see
● EarlyWatch Alert: http://service.sap.com/ewa
● Security Optimization Service / Security Notes Report: http://service.sap.com/sos
● Comprehensive list of Security Notes: http://service.sap.com/securitynotes
● Configuration Validation: http://service.sap.com/changecontrol
● RunSAP Roadmap, including the Security and the Secure Operations Standard: http://
service.sap.com/runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)
13.14 SAP S/4HANA LoB Products for specific Industries
13.14.1 Agriculture
13.14.1.1 Agricultural Contract Management
Security Guide for SAP S/4HANA 1709
690 P U B L I C SAP S/4HANA Business Applications13.14.1.1.1 Authorizations
SAP S/4HANA Industry solution for Agricultural Contract Management uses the authorization concept provided
by SAP NetWeaver AS for ABAP. Therefore, the recommendations and guidelines for authorizations as described
in the SAP NetWeaver AS Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used by the Agricultural Contract Management.
Table 421:
Role Description
SAP_BR_MASTER_DATA_ACM Master Data Specialist (ACM)
SAP_BR_OPERATION_CLERK_ACM Operations Clerk (ACM)
SAP_BR_SETTLEMENT_CLERK_ACM Settlement Clerk (ACM)
SAP_BR_TRADER_ACM Trader (ACM)
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the Agricultural Contract
Management.
Table 422:
Authoriza Field Value Description
tion Object
/ACCGO/ASG ACTVT (Activity) 01 - Add or Create Value Schedule
/ACCGO/LOC (TSW Location) 02 - Change Assignment to TSW
Location
03 - Display
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 691Authoriza Field Value Description
tion Object
/ACCGO/CPE BUKRS (Company Code) 01 - Add or Create Commodity Pricing
WERKS Engine Integration
(Plant) 02 - Change
ACTVT (Activity) 06 – Delete
/ACCGO/DIS ACTVT (Activity) 16 - Execute Online Pricing
Distributions
/ACCGO/GDC ACTVT (Activity) 01 - Add or Create Global Derived
02 - Change Characteristics
03 - Display
/ACCGO/IR BUKRS (Company Code) N/A Invoice Router
WERKS (Plant)
EKORG (Purchasing Organization)
OIJ_LOC (Location ID)
/ACCGO/LIN ACTVT (Activity) 01 - Add or Create Lien
02 - Change
03 - Display
/ACCGO/NEG /ACCGO/NKY (Tree Control: Node Key) 01 - Add or Create Manual Application
ACTVT Workcenter - Node Key
(Activity) 02 - Change
03 - Display
Security Guide for SAP S/4HANA 1709
692 P U B L I C SAP S/4HANA Business ApplicationsAuthoriza Field Value Description
tion Object
/ACCGO/NEY EKORG (Purchasing Organization) Application Activities Manual Application
PRCTR Workcenter - Common
(Profit Center) Example Fields
WERKS (Plant) 01 - Create
VKORG (Sales Organization) 02 - Change
VTWEG (Distribution Channel) 03 - Display
SPART(Division) 04 - Manual Selection of
Contract
BUKRS (Company Code)
05 - Propose Contract
/ACCGO/DTY (Application Document
Type) 06 - Link to Contract, and so on.
/ACCGO/APL (Application Activities) For more information, see the fixed val
ues for the corresponding domain /
/ACCGO/SID (Side) ACCGO/D_APPL_ACTIVITIES.
Side
M - Purchasing
V - Sales/Distribution
/ACCGO/NSS WERKS (Plant) Side Non-Standard Settlement
BUKRS M - Purchasing
(Company Code)
/ACCGO/SID V - Sales/Distribution
(Side)
Non-Standard Settlement Activities
/ACCGO/NSA (Non-Standard
Settlement Activities) 01 - Create Washout
02 - Create Circle
03 - Create Cancellation
04 - Display Washout/Circle
05 - Create Underfill
/ACCGO/OE ACTVT (Activity) 02 - Change Orchestration Framework
03 - Display and Back-to-Back
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 693Authoriza Field Value Description
tion Object
/ACCGO/RRP BUKRS (Company Code) 03 - Display Revenue Recognition and
PRCTR 10 - Post Purchase Realization
(Profit Center)
VKORG (Sales Organization)
EKORG (Purchasing Organization)
ACTVT (Activity)
SPART(Division)
VTWEG (Distribution Channel)
EKGRP (Purchasing Group)
/ACCGO/SPM /ACCGO/APL (Application Activities) Application Activities Contract Application Spot
/ACCGO/DTY Monitor
(Application Document Example
Type) 01 - Create
WERKS (Plant) 02 - Change
03 - Display
04 - Manual Selection of
Contract
05 - Propose Contract
06 - Link to Contract, and so on.
For more information, see the fixed val
ues for the corresponding domain /
ACCGO/D_APPL_ACTIVITIES.
Security Guide for SAP S/4HANA 1709
694 P U B L I C SAP S/4HANA Business ApplicationsAuthoriza Field Value Description
tion Object
/ACCGO/STL BUKRS (Company Code) Side Contract Settlement
TCTYP M - Purchasing
(Trading Contract: Trading
Contract Type) V - Sales/Distribution
WERKS (Plant) Settlement Activities for Authorization
Check
PRCTR (Profit Center)
VKORG (Sales Organization) Example
01 - Create/Generate
VTWEG (Distribution Channel) Settlement
SPART (Division) 02 - Change/Adjust Settlement
EKORG (Purchasing Organization) 03 - Display Settlement
/ACCGO/SID (Side) 04 - Release Settlement
/ACCGO/STL (Settlement Activities for 05 - Approve Settlement
Authorization Check)
06 - Reverse Settlement, and so
on.
For more information, see the fixed val
ues for the corresponding domain /
ACCGO/D_STL_ACTIVITIES.
/ACCGO/TOL ACTVT (Activity) 01 - Add or Create Tolerance Schedule
02 - Change
03 - Display
/ACCGO/UI /ACCGO/NOD (Tree Control: Node Key) N/A Common UI Node Access
/ACCGO/LEF (Tree Control: Leaf Key)
/ACCGO/UIC ACTVT (Activity) Example Set Up Load Data
Capture
01 - Add or Create
02 - Change
03 - Display
04 - Print, edit messages
05 - Lock
06 - Delete, and so on.
For more information, see the permitted
activities for the authorization object /
ACCGO/UIC.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 695Authoriza Field Value Description
tion Object
/ACCGO/UIS WERKS (Plant) LDC Activity Load Data Capture
/ACCGO/UIS (LDC Activity) Example
01 - Create/Change LDC
02 - Display LDC
03 - Create Weights
04 - Change Weights
05 - Create Analysis
06 - Change Analysis, and so on.
For more information, see the fixed val
ues for the corresponding domain /
ACCGO/D_UIS_ACTIVITY.
/ACCGO/VAL ACTVT (Activity) 01 - Add or Create Value Schedule
02 - Change
03 - Display
06 – Delete
/ACCGO/VOL ACTVT (Activity) 01 - Add or Create Volume Schedule
02 - Change
03 - Display
06 – Delete
13.14.2 Automotive
13.14.2.1 Vehicle processes for Wholesale and Retail
Security Guide for SAP S/4HANA 1709
696 P U B L I C SAP S/4HANA Business Applications13.14.2.1.1 Authorizations
Vehicle Processes for Wholesale and Retail uses the authorization concept provided by the SAP NetWeaver AS for
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 423:
Authorization Object Description
C_AUTO_VMS Vehicle Management System (VMS): Controls whether a user
is allowed to execute VMS actions
C_AUTO_DPV Dealer Portal VMS: Controls whether a user is allowed to exe
cute dealer portal functions, for example, create a sales order
without a vehicle
13.14.2.1.2 Deletion of Personal Data
Use
The Vehicle Management System (VMS) might process data (personal data) that is subject to the data protection
laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the
blocking and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on
the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data
Protection .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 697Relevant Application Objects and Available Deletion Functionality
Table 424:
Application Provided Deletion Functionality
Vehicle Management System (IS-A-VMS) Archiving Object
VEHICLE
ILM Object
VEHICLE
Relevant Application Objects and Available EoP/WUC functionality
Table 425:
Application Implemented Solution (EoP or WUC) Further Information
Vehicle Management System (IS-A- EoP Check table
VMS)
VLCVEHICLE
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
13.14.3 Banking
13.14.3.1 SAP Business Partner for Financial Services (FS-BP)
The security policy with SAP Business Partner for Financial Services (FS-BP) is very similar to the security policy
with the central SAP Business Partner (SAP BP).
Security Guide for SAP S/4HANA 1709
698 P U B L I C SAP S/4HANA Business Applications13.14.3.1.1 Authorizations
You create roles in Customizing for SAP Banking under SAP Business Partner for Financial Services General
Settings Business Partner Basic Settings Authorization Management .
The authorization objects are the responsibility of the SAP Business Partner. SAP Financial Customer Information
Management (FS-BP) is only responsible for the following authorization objects:
● T_BP_DEAL (Standing Instructions/Transactions)
You can use this authorization object to control the company code-dependent authorizations for displaying/
creating/changing standing instructions.
There are standing instructions for:
○ Payment details
○ Derived flows
○ Correspondence
○ Transaction authorizations
● B_BUPA_SLV (Selection Variant for Total Commitment)
A selection variant includes various settings for the total commitment (such as which business partner roles
and relationships can be used for the selection, or whether detailed information can be displayed).
If you activate the SACF scenario FSBP_RATINGS (FS-BP:Scenario for Ratings and Credit Standing Data) in the
Workbench for Switchable Authorization Check Scenarios (transaction SACF), the following FS-BP authorization
objects are also available:
● B_BUPA_RAT (Business Partner: Ratings)
You can use this authorization object to check whether a user has the authorization to create, change, display,
or delete rating procedures. For each rating procedure, you can differentiate between an authorization for a
permitted period or an authorization for any period. The prerequisite for this is that you have made the
settings for the periods in Customizing for SAP Banking under SAP Business Partner for Financial Services
Settings for Financial Services General Settings Ratings/Credit Standing Ratings Set Rating
Procedures and Ratings .
● B_BUPA_CRS (Business Partner: Credit Standing Data)
You can use this authorization object to check whether a user has the authorization to display and change
credit standing data.
13.14.3.1.2 Network and Communication Security
In the case of Total Commitment, SAP ERP communicates with other SAP systems (such as Account
Management (FS-AM)). Communication with non-SAP systems is also possible.
Communication takes place using Remote Function Call (RFC).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 69913.14.3.1.2.1 Communication Destinations
Depending on the scenario, an RFC user is required for communication via Remote Function Call (RFC).This user
requires the appropriate authorizations for the target system (such as FS-CML or FS-AM).
13.14.3.1.3 Data Storage Security
The authorization object B_CCARD controls access to the credit card information that is stored in the business
partner. This control falls under the area of responsibility of the central SAP Business Partner.
You can use authorization groups (authorization object B_BUPA_GRP) to protect employee data.
If you activate the SACF scenario FSBP_RATINGS (FS-BP:Scenario for Ratings and Credit Standing Data) in the
Workbench for Switchable Authorization Check Scenarios (transaction SACF), the following FS-BP authorization
objects are also available:
● B_BUPA_RAT (Business Partner: Ratings)
● B_BUPA_CRS (Business Partner: Credit Standing Data)
Related Information
Authorizations [page 699]
13.14.3.2 Bank Customer Accounts (BCA)
13.14.3.2.1 Authorizations
The following standard roles are available in Bank Customer Accounts (BCA):
Table 426:
Role Name
SAP_ISB_ACCOUNTS_ADMIN_AG SAP Banking BCA: Administrator in Account Management
SAP_ISB_ACCOUNTS_ASSISTANT_AG SAP Banking BCA: Assistant in Account Management
SAP_ISB_ACCOUNTS_STAFF_AG SAP Banking BCA: Clerical Staff in Account Management
For more information on authorization management and the authorization objects in Bank Customer Accounts,
see the product assistance documentation, under Enterprise Business Applications Finance SAP Banking
Security Guide for SAP S/4HANA 1709
700 P U B L I C SAP S/4HANA Business ApplicationsBank Customer Accounts (BCA) General Subjects Authorization Administration , and its subtopic
Authorization Objects.
Bank Customer Accounts (BCA) also contains the following business transaction events on the subject of
authorizations:
Table 427:
Business Transaction Event Name
SAMPLE_INTERFACE_00011040 AUTH1 account
SAMPLE_INTERFACE_00011700 Authorization checks/authorization type
SAMPLE_INTERFACE_00010950 Check management
SAMPLE_INTERFACE_00010210 Payment item dialog
SAMPLE_INTERFACE_00010410 Payment order dialog
SAMPLE_INTERFACE_00010411 Standing order dialog
13.14.3.2.2 Network and Communication Security
Bank Customer Accounts (BCA) communicates with the following external systems:
● Payment transaction systems
● Interest income tax
● Financial Accounting (FI) , if Financial Accounting (FI) runs on another system
Encrypt communication with external systems in accordance with the SAP standards.
Communication with all external systems is performed via Remote Function Call (RFC).
13.14.3.2.3 Data Storage Security
The security of sensitive objects such as savings accounts and checking accounts is guaranteed by the general
authorization concept of Bank Customer Accounts (BCA).
For employee accounts, the following security mechanisms are available in addition to the general authorization
concept:
The following special authorization objects
F_EMAC_MTH
F_EMAC_TRN
The following special field modification criterion of the Business Data Toolset (BDT)
FMOD1
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 701This criterion is applied to employee accounts.
Using Logical Path and Filenames to Protect Access to the File System
The Bank Customer Accounts (BCA) application saves data in files in the file system. Therefore, you must provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal).
You can do this by specifying logical paths and file names in the system that map to the physical paths and file
names. The system validates this mapping at runtime and if access is requested to a directory that does not
match a defined mapping, then the system issues and error message.
The following lists the logical file names and paths used by Bank Customer Accounts (BCA) and the programs for
which these file names and paths apply:
Logical File Names Used in This Application
The following logical file names have been created to enable the validation of physical file names:
BKK_PAYMEX_DE_DTA_FILE
Program using this logical file name:
RFBKPAYMEX_DE_DTA
Parameters used in this context: None
BKK_PAYMIN_DE_DTA_FILE
Program using this logical file name:
RFBKPAYMIN_DE_DTA
RFBKPAYMINREST_DE_DTA
RFBKPAYMINREV_DE_DTA
Parameters used in this context: None
Logical File Paths Used in This Application
The logical file name BKK_PAYMEX_DE_DTA_FILE uses the logical file path BKK_PAYMEX_DE_DTA.
The logical file name BKK_PAYMIN_DE_DTA_FILE uses the logical file path BKK_PAYMIN_DE_DTA.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
Security Guide for SAP S/4HANA 1709
702 P U B L I C SAP S/4HANA Business Applications13.14.3.2.4 Deletion of Personal Data in IS-B-BCA
Use
The Bank Customer Accounts (IS-B-BCA) component might process data (personal data) that is subject to the
data protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 428:
Application Detailed Description Provided Deletion Functionality
BKK For more information, see SAP Note BKK_BUPA_EVENT_EOP_CHECK
2023415 . ILM object FIBA_BUPA
BKK For more information, see Archiving or ILM objects:
Destroying Bank Customer Accounts ● BKKPRENOTE
Data, and SAP Note 2023417 . ● FIBA_ACCNT
● FIBA_EFTEX
● FIBA_EFTIN
● FIBA_ENRCH
● FIBA_EVLIM
● FIBA_HIERA
● FIBA_HOLD
● FIBA_ITEM
● FIBA_ORDER
● FIBA_STORD
● FIBA_TERM
Available Check
Implemented Solution: End of Purpose Check
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 703Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection.
13.14.3.2.5 Specific Read Access Log Configurations
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions. SAP delivers sample configurations for applications.
The scenario Payment Document Display/Change/Create (Tx WZR(1/2/3)) in Settlement Management (LO-AB)
logs data in order to record any access to banking data related to a customer or a vendor. You can find the
configurations as described in the Read Access Logging [page 29] chapter.
In the following configurations, fields are logged in combination with additional fields, in the following business
contexts:
Table 429:
Configuration Fields Logged Business Context
LOAB_BANK KOMWBRD-BANKL Bank Keys
LOAB_BANK KOMWBRD-BANKN Bank account number
LOAB_BANK KOMWBRD-BANKS Bank country key
LOAB_BANK KOMWBRD-BKONT Bank country key
LOAB_BANK KOMWBRD-BKREF Reference specifications for bank details
LOAB_BANK KOMWBRD-DTAMS Instruction key for data medium ex
change
LOAB_BANK KOMWBRD-DTAWS Indicator for Data Medium Exchange
13.14.3.3 Loans Management (FS-CML)
Security Guide for SAP S/4HANA 1709
704 P U B L I C SAP S/4HANA Business Applications13.14.3.3.1 Authorizations
Authorization management for mortgage loans is based on the existing authorization concept in Loans
Management (FS-CML ).
The authorization check is performed according to the principle of inclusion, that is to say, if a user has
authorization to activate a business transaction, he or she also has authorization to delete it. The authorization for
making a posting includes the authorization for making a cancellation.
If other functions are called from a business transaction, the relevant authorization check is performed in this
business transaction before the other function is accessed. This avoids any termination of the functions that are
being called.
To set up your authorization management for mortgage loans, you can use the following roles included in the
delivery scope:
Table 430:
Role Name Scope
Loans Officer SAP_CML_LOANS_OFFICER ● Create, change, display, delete busi
ness partner
● Collateral value calculation, credit
standing calculation and decision-
making
● Maintain objects and securities
● Create contracts, or transfer from
application or offer
● Enter disbursements
● Process correspondence
● Release loan (colleague or superior)
● Process business operations (such
as charges, individual posting, pay
off)
Credit Analyst SAP_CML_CREDIT_ANALYST ● Create, change, display, delete busi
ness partner
● Maintain loan enquiries, applica
tions and offers
● Calculate credit standing
● Decision-making
● Maintain limits
● Calculate the collateral value
● Maintain objects and securities
Rollover Officer SAP_CML_ROLLOVER_OFFICER ● Loan rollover (individual and mass)
● Process correspondence
● Management of rollover file
● Maintain condition tables
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 705Role Name Scope
Staff Accountant for Loans SAP_CML_STAFF_ACCOUNTANT ● Post transactions
● Clearing
● Create payments
● Post and monitor incoming pay
ments
● Process waivers and write-offs
● Cancellation
● Accrual/deferral
● Valuation
● Generating accounting reports
Manager of Loans Department SAP_CML_DEPARTM_MANAGER ● Release
● Maintain condition tables
● Change limits
● Risk analysis
● Monitor file (rollover or process
management)
● Monitor portfolio and portfolio trend
using reports; reports and queries
Product Administrator SAP_CML_PRODUCT_ADMIN ● Update reference interest rates
● Maintain condition tables
● Maintain new business tables
Technical Administrator SAP_CML_TECHNICAL_ADMIN ● Perform mass runs (such as mass
print run), set status of plan to com
pleted, post planned records
● Currency conversion
● Update reference interest rates and
currency rates
● Reorganization and data archiving
● Define queries, drilldown reporting
forms and reports
● Maintain performance parameters
● Analyze change pointers
● Define export interfaces
You can assign these roles to the users in your company. Do not make any changes to the original roles, as these
changes would be overwritten by the standard settings when the system is upgraded.
If you want to make adjustments, copy these roles. To do so, in the SAP Easy Access menu, choose Tools
Administration User Maintenance Role Administration Roles . Here you can group together authorizations
for consumer loans into your own defined roles, and assign these to users in your departments, for example. In
the first step you maintain the role menu. You can structure this yourself by adding and, if necessary, renaming
files, transactions, and reports. In addition to manually grouping together the relevant transactions, you can also
Security Guide for SAP S/4HANA 1709
706 P U B L I C SAP S/4HANA Business Applicationstransfer these from the SAP menu or another role. You then maintain the authorizations for your role. The system
proposes certain authorizations and their characteristics. You can also add more objects. Then you need to
generate the authorization profile. Finally, you maintain the users who are to have the authorizations contained in
the role. You can also use elements from organizational management, such as position in the organization. The
advantage here is that you do not have to maintain the user assignment individually in each role if a person
changes jobs. You can also use this function in release.
13.14.3.3.2 Network and Communication Security
Loans Management (FS-CML) does not communicate with other systems.
The only exception is the loan origination process. In this process, CRM serves as the entry system, and FS-CML
as the back-end system. Communication takes place by means of XI.
13.14.3.3.3 Data Storage Security
The security of sensitive data in Loans Management (such as loan contracts, consumer loans, collateral values,
credit standing calculations, collateral) is guaranteed by the general authorization concept of Loans Management
(FS-CML).
It is possible to display business partner data from Loans Management. You can use the authorization concept of
central SAP Business Partner to protect this data.
For more information about authorizations and security of data storage in SAP Business Partner, see SAP Service
Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP
NetWeaver Products SAP NetWeaver Application Server Security Guide SAP NetWeaver AS Security Guide
for ABAP Technology Security Aspects When Using Business Objects SAP Business Partner Security .
Using Logical Path and Filenames to Protect Access to the File System
The Loans Management (FS CML) application saves data in files in the file system. Therefore, you must provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal).
You can do this by specifying logical paths and file names in the system that map to the physical paths and file
names. The system validates this mapping at runtime and if access is requested to a directory that does not
match a defined mapping, then the system issues and error message.
The following lists the logical file names and paths used by Loans Management (FS CML) and the programs for
which these file names and paths apply:
Logical File Names Used in This Application
The following logical file names have been created to enable the validation of physical file names:
● CML_PAYMENT_US
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 707● Program using this logical file name:
● RFVD_AUTODRAFT_PROCESS
● RFVD_PAY_STOP
● Parameters used in this context: None
● CML_CREDIT_BUREAU
● Program using this logical file name:
● RFVD_CBR_PROCESS
● Parameters used in this context: None
● CML_MIGRATION_OBJECTS_LOGFILE_IN
● Program using this logical file name:
● RFVOBJ01
● Parameters used in this context: None
● CML_MIGRATION_OBJECTS_LOGFILE_OUT
● Program using this logical file name:
● RFVOBJ01
● RFVOBJ01_CREATE_STRUCTURE
● Parameters used in this context: None
● CML_MIGRATION_OBJECTS_PHYSFILE_IN
● Program using this logical file name:
● RFVOBJ01
● Parameters used in this context: None
● CML_MIGRATION_OBJECTS_PHYSFILE_OUT
● Program using this logical file name:
● RFVOBJ01
● RFVOBJ01_CREATE_STRUCTURE
● Parameters used in this context: None
● CML_MIGRATION_COLLATERALS_LOGFILE_IN
● Program using this logical file name:
● RFVSIC01
● Parameters used in this context: None
● CML_MIGRATION_COLLATERALS_LOGFILE_OUT
● Program using this logical file name:
● RFVSIC01
● RFVSIC01_CREATE_STRUCTURE
● Parameters used in this context: None
● CML_MIGRATION_COLLATERALS_PHYSFILE_IN
● Program using this logical file name:
● RFVSIC01
● Parameters used in this context: None
● CML_MIGRATION_COLLATERALS_PHYSFILE_OUT
● Program using this logical file name:
● RFVSIC01
● RFVSIC01_CREATE_STRUCTURE
● Parameters used in this context: None
Security Guide for SAP S/4HANA 1709
708 P U B L I C SAP S/4HANA Business ApplicationsLogical File Paths Used in This Application
● The logical file names CML_PAYMENT_US and CML_CREDIT_BUREAU use the logical file path CML_ROOT.
● The logical file names CML_MIGRATION_OBJECTS_LOGFILE_IN,
CML_MIGRATION_OBJECTS_LOGFILE_OUT, CML_MIGRATION_OBJECTS_PHYSFILE_IN,
CML_MIGRATION_OBJECTS_PHYSFILE_OUT, CML_MIGRATION_COLLATERALS_LOGFILE_IN,
CML_MIGRATION_COLLATERALS_LOGFILE_OUT, CML_MIGRATION_COLLATERALS_PHYSFILE_IN and
CML_MIGRATION_COLLATERALS_PHYSFILE_OUT use the logical file path CML_MIGRATION
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
13.14.3.3.4 Deletion of Personal Data in FS-CML
Use
The Consumer Mortgage Loans (FS-CML) component might process data (personal data) that is subject to the
data protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 431:
Application Object Detailed Description Provided Deletion Functionality
CMLCONTRCT Loan Master Data Archiving object CMLCONTRCT
ILM object CMLCONTRCT
CMLMODCALC Model Calculation Archiving object CMLMODCALC
ILM object CMLMODCALC
CMLCRSTND Credit Standing Calculation Destruction object CML_CRSTAND
CALC_DESTRUCTION
ILM object CML_CRSTANDCALC_DE
STRUCTION
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 709Application Object Detailed Description Provided Deletion Functionality
CMLINTPAR Interested Party Destruction object CML_INTEREST
PARTY_DESTRUCTION
ILM object CML_INTERESTPARTY_DE
STRUCTION
CMLCOLLATE Collaterals Destruction object CMLCOLLATE
ILM object CMLCOLLATE
CMLCOLOBJ Collateral Objects Destruction object CMLCOLOBJ
ILM object CMLCOLOBJ
Relevant Application Objects and Available EoP functionality
Table 432:
Application Object Implemented Solution (End of Purpose Further Information
Check)
CMLCONTRCT Loan Master Data FLBP_CONTR_EVENT_EOP_CHECK
CMLMODCALC Model Calculation FLBP_MODEL
CALC_EVENT_EOP_CHECK
CMLCRSTND Credit Standing Calculation FLBP_CR_STND_EVENT_EOP_CHECK
CMLINTPAR Interested Party FLBP_INT_PAR_EVENT_EOP_CHECKN
CMLCOLLATE Collaterals FLBP_COLLTRL_EVENT_EOP_CHECK
CMLCOLOBJ Collateral Objects FLBP_COLLOBJ_EVENT_EOP_CHECK
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in
Customizing for Cross-Application Components under Data Protection.
13.14.3.4 Collateral Management (CM)
Purpose
Security Guide for SAP S/4HANA 1709
710 P U B L I C SAP S/4HANA Business ApplicationsThe purpose of this guide is to explain the security-specific features built-in for the SAP Collateral Management
( CM ).
To understand the security features provided in CM, you must read the SAP Netweaver Application Server
security guide ( service.sap.com ) that describes the basic security aspects and measures for SAP systems.
13.14.3.4.1 Authorizations
A multitude of standard roles are shipped with SAP Collateral Management ( CM ) in the SAP ECC 6.0. These roles
are of exemplary character. The standard roles must be modified by the Customers based on their requirements.
Note
The Customers must not use the standard roles in their production systems only with some medications. It is
advisable without any modifications. Use the Profile Generator (transaction PFCG) to identify the standard
roles and create additional roles.
The following roles are available in CM for banks:
Table 433:
Role Purpose
SAP_FS_CMS_DISPLAY_ALL Displaying all the entity objects in CM .
SAP_FS_CMS_MAINTAIN_ALL Maintaining (Create, change and display only) all entity ob
jects.
SAP_FS_CMS_MAINTAIN_ALL_PRC Executing all the process related activities in addition to main
tenance of objects
SAP_FS_CMS_CUST_ALL Customizing
SAP_FS_CMS_ADMIN CM administrator role
SAP_FS_CMS_COL_AUDITOR Maintaining all the entity objects and the access to run all the
reports in CM.
SAP_FS_CMS_CREDIT_MANAGER Displaying collateral objects and collateral agreements.
SAP_FS_CMS_CREDIT_RISK_MANAGER Maintaining collateral objects and collateral agreements and
displaying receivables.
SAP_FS_CMS_LIQUIDATION_OFFICER Maintaining liquidation measures.
Authorization Objects in CM
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 711Table 434:
Technical name Name
CMS_PCN_02 Authorization for activities (change request mode)
CMS_PCN_01 Authorization for activities (normal mode)
CMS_OMS1 Authorization for all collateral objects other than real estate
(replace CMS_OMS from ECC 6.0 onwards
CMS_OMS Authorization for all collateral objects other than real estate
(obsolete from ECC 6.0 onwards)
CMS_CAG Authorization object for collateral agreements
CMS_RE Authorization object for real estate objects in CM.
CMS_RBL Authorization object for receivable in CM.
Characteristic Based Authorizations
In the Collateral Management, all the objects must belong to an administration organizational unit. The
authorization objects for collateral objects(real estate and other collateral objects) and collateral agreements are
based on a combination of the administration organizational unit and the entity type(assigned using a process
control key). For receivables, the authorizations are based on the receivable organizational unit, the receivable
status and the product. Authorizations for receivables is valid only for the receivables created in the CM or even
the local copies of the receivables in external credit systems.
Note
For example, you can use the attribute administration organization unit to differentiate between employee ,VIP
and normal customers objects. You can also create objects in these organizational units as characteristics,
which can then also be used to protect application data.
13.14.3.4.2 Network Communication and Security
The table below shows the communication paths used by the SAP Collateral Management ( CM ), the protocol
used for the connections and the type of data transferred.
Table 435:
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
Financial Customer Informa RFC Business partner master data
tion System (FS- Business
Partner)
Security Guide for SAP S/4HANA 1709
712 P U B L I C SAP S/4HANA Business ApplicationsCommunication Path Protocol Used Type of Data Transferred Data Requiring Special Pro
tection
SAP Document Management RFC Document data
System (DMS)
Loans Management (CML) RFC Loan data
SAP Business Information IDoc and RFC Collateral agreements, collat
Warehouse (BIW) eral objects, charges, collat
eral agreement – receivable
assignment and calculations
data
SAP Bank Analyzer ( Basel II) IDoc and RFC Collateral agreements, collat
eral objects, charges, collat
eral agreement – receivable
assignment andcalculations
data
The following RFC connections have to be set up for operating the CM . You are advised not to create the users
belonging to these as dialog users.
● RFC communication with the Tool BW
● RFC communication within the Tool BW
● RFC communication in the context of import methods for the client copy. The relevant authorization objects
are:
● S_TABU_DIS; S_RS_ICUBE; S_RS_ADMWB; S_RS_ISOUR; S_BTCH_ADM; S_ADMI_FCD; S_BTCH_JOB;
S_RS_ODSO; S_RS_ISET
CM provides the following business application programming interfaces (BAPIs) for allowing external systems to
connect to it:
● BAPI_CM_AST_GET_MULTI
● BAPI_CM_CAG_CREATE
● BAPI_CM_CAG_GETDETAIL_MULTI
● BAPI_CM_CAG_GET_BY_RBL
● BAPI_CM_GENLNK_RBL_ON_RBL_01
● BAPI_CM_GENLNK_RBL_ON_RBL_02
● BAPI_CM_SEC_GETDETAIL_MULTI
● BAPI_CM_RE_GETDETAIL_MULTI
● BAPI_CM_RIG_GETDETAIL_MULTI
● BAPI_CM_MOV_GETDETAIL_MULTI
BAPIs are standard SAP interfaces and are important in the technical integration and in exchange of business
data between SAP components and between the SAP and non-SAP components. BAPIs enable you to integrate
these components. They are therefore an important part of developing integration scenarios where multiple
components are connected to each other, either on a local network or on the internet.
BAPIs allow integration at the business level and not at the technical level. This provides for greater stability of the
linkage and independence from the underlying communication technology.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 713The current requirement for BAPIs in CM caters mainly to the migration scenarios. Hence these BAPIs are not
protected by special authorizations. Authorization checks for BAPIs can be provided (in the future releases), if
there are requirements for them.
CM also provides an extensive enhancement concept that offers user exits in the form of Business Add-Ins
(BADIs).
Network Security and Communication Channels
Collateral Management ( CM ) uses the same communication channels that are described in the SAP NetWeaver
AS security guide. No further customer-specific communication channels are provided. Hence the aspects and
actions described in the SAP NetWeaver AS security guide (such as use of SAPRouter in combination with
Firewall, use of Secure Network Communication (SNC), Communication Front-End-Application Server,
connection to the database) also apply for CM .
13.14.3.5 Reserve for Bad Debt (FS-RBD)
13.14.3.5.1 Authorizations
The authorization concept used by Reserve for Bad Debt (RBD) is the same as the SAP authorization concept.
The authorization checks in RBD differentiate between the following dimensions:
● Activities
You use the activity to control what a user is permitted to do.
● Organization
At the level of the RBD-specific objects RBD Area or Organizational Unit, you specify which data the user is
permitted to display or edit in accordance with the activity.
Standard Profiles
Preconfigured standard roles are not shipped with RBD. The following standard profiles are shipped with the SAP
system:
Table 436: Standard Profiles
Role Description
S_A.SYSTEM Access authorizations for the basis system only
Security Guide for SAP S/4HANA 1709
714 P U B L I C SAP S/4HANA Business ApplicationsRole Description
S_A.ADMIN Access authorizations for administration of the operational
SAP system, but without access authorization for the follow
ing areas:
● ABAP/4 Development Workbench
● Maintenance of super users
● Maintenance of standard profiles beginning with “S_A”
S_A.DEVELOP Access authorizations for users who work with ABAP/4 Devel
opment Workbench
S_A.CUSTOMIZ Access authorizations for basis settings in the Customizing
system
S_A.USER Access authorizations for end users (without access authori
zation for SAP work areas)
Authorization Objects
The following authorization objects are shipped with Reserve for Bad Debt (RBD).
Table 437: RBD Authorization Objects
Object Description Authorization Field Authorization Field Authorization Field
Activity RBD Area Organizational Unit
RBD_CUST RBD: Customizing 16(Execute) Not relevant Not relevant
RBD_EDIT RBD: Dialog & Batch 01 (Add or Create) According to Customiz According to Customiz
02 ing (table /IBS/ ing (table /IBS/
(Change)
CRB_RBD_P) CRB_ORGEIN)
03 (Display)
05 (Lock)
10 (Post)
66 (Update)
85 (Reverse)
86 (Transfer Post)
91 (Reactivate)
95 (Unlock)
H1 (Deactivate)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 715Object Description Authorization Field Authorization Field Authorization Field
Activity RBD Area Organizational Unit
RBD_REPO RBD: Reporting Not relevant According to Customiz According to Customiz
ing (table /IBS/ ing (table /IBS/
CRB_RBD_P) CRB_ORGEIN)
/IBX/EDIT IPX: Dialog & Batch 02 (Change) According to Customiz Not relevant
03 ing (table /IBS/
(Display)
CRB_RBD_P)
06 (Delete)
10 (Post)
21 (Transfer Valuation)
23 (Maintain)
41 (Delete on
Database)
43 (Release)
46 (Aggregate
Valuation)
60 (Import)
69 (Delete Valuation)
71 (Analyze)
78 (Assign)
85 (Reverse)
93 (Calculate)
94 (Override)
Caution
For the RBD Area and Organizational Unit authorization fields, you can use the wildcard symbol “*”. If you use
the wildcard symbol, access authorization is not checked for the relevant authorization field.
Example
Description in relation to these authorization objects:
● The assignment of authorization object RBD_CUST with activity 16 gives the user authorization to use the
function RBD Tool Customizing: Duplicate Account Determination (/IBS/MRB_CUST_KTOFI).
● The assignment of authorization object RBD_EDIT with activity 01 and RBD area 0001 enables a user to
display the data for an RBD account in RBD area 0001.
Security Guide for SAP S/4HANA 1709
716 P U B L I C SAP S/4HANA Business Applications● The assignment of authorization object RBD_EDIT with activity 02, RBD area 0002, and organizational unit
London enables a user to change the data for an RBD account in RBD area 0002 that is assigned to the
organizational unit London.
However, if the user is not assigned any other access authorizations, he or she cannot change an RBD
account from RBD area 0002 that is assigned to the organizational unit “Tokyo”.
● The assignment of authorization object RBD_EDIT with activities 02 and 10 and RBD area 0003 enables a
user to create and post planned records for an RBD account in RBD area 0003.
However, a prerequisite for this is that the principle of multiple control for posting planned records (risk
provision proposals) has not been activated in Customizing for RBD.
● The assignment of authorization object RBD_REPO with RBD area “*” and organizational unit “*” allows a
user to display the RBD data for all RBD areas and all organizational units using the reports in the RBD
information system.
Use of RBD Authorization Objects
Table 438: RBD Area Menu, Account Management Folder
Transaction Object (Activity) RBD Area + Organizational Unit
Create RBD Account /IBS/ RBD_EDIT (01) Relevant + Relevant
RB_KTO_INS
Change RBD Account /IBS/ RBD_EDIT (02, 05, 10, 85, 95, H1) Relevant + Relevant
RB_KTO_UPD
Display RBD Account /IBS/ RBD_EDIT (03) Relevant + Relevant
RB_KTO_DIS
Reactivate RBD Account /IBS/ RBD_EDIT (91) Relevant + Relevant
RB_KTO_REACT
Balance Sheet Transfer RBD /IBS/ RBD_EDIT (Not relevant) Not relevant+Not relevant
RB_RECLAS
ECF: Balance Sheet Transfer /IBS/ RBD_EDIT (86) Relevant +Not relevant
RB_ECF_RECLAS
ECF: Contract Reallocation /IBS/ RBD_EDIT (86) Relevant +Not relevant
RB_REALLOC RBD_REPO (Not relevant) Relevant +Not relevant
ECF: Manual Contract Manage RBD_EDIT (01, 02, 03) Relevant +Not relevant
ment /IBS/RB_MANCON
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 717Table 439: RBD Area Menu, Information System Folder
Transaction Object (Activity) RBD Area + Organizational Unit
Worklist - Processor /IBS/ RBD_REPO (Not relevant) Relevant + Relevant
RB_WORKLIST and /IBS/ RBD_EDIT (Not relevant) Not relevant+Not relevant
RB_WORKLIST_SEL
Monitoring - Planned Record RBD_REPO (Not relevant) Not relevant+ Relevant
Change /IBS/RB_MAN_PLAN_CHG RBD_EDIT (Not relevant) Not relevant+ Relevant
Decision Template for Past Analy RBD_REPO (Not relevant) Not relevant+Not relevant
sis /IBS/RB_PROPRES_HGB S_GUI (61) Not relevant+Not relevant
Decision Template for Future Analy RBD_REPO (Not relevant) Not relevant+Not relevant
sis /IBS/RB_PROPRES_IAS S_GUI (61) Not relevant+Not relevant
Decision Template for ECF Proce RBD_REPO (Not relevant) Not relevant+Not relevant
dure /IBS/RB_PROPRES_ECF S_GUI (61) Not relevant+Not relevant
Reporting Function /IBS/ RBD_REPO (Not relevant) Not relevant+Not relevant
RB_REPORTING
Development List /IBS/RB_DEVL RBD_REPO (Not relevant) Relevant + Relevant
Development List per Source System RBD_REPO (Not relevant) Relevant + Relevant
Contract /IBS/RB_DEVL_SINGLE
Individual Document Table - Source Sys Not relevant Not relevant+Not relevant
tem /IBS/MRB_VS_SALDO
Posting Log /IBS/RB_LOG_POST RBD_EDIT (03) Relevant +Not relevant
S_APPL_LOG (03)
● Drilldown Reporting with Referen RBD_REPO (Not relevant) Relevant +Not relevant
ces /IBS/RB_REF
● IRP: Filling Report for ECF
Gate /IBS/RB_ECF_FILL
● IVA: List of Notes for Multiple
Source Systems /IBS/RB_HINTM
Table 440: RBD Area Menu, Flat-Rate Value Adjustment Procedure Folder
Transaction Object (Activity) RBD Area + Organizational Unit
FVA: Fill RBD Gate for FS-CML /IBS/ Not relevant Not relevant+Not relevant
RB_FILL_GATE
Security Guide for SAP S/4HANA 1709
718 P U B L I C SAP S/4HANA Business ApplicationsTransaction Object (Activity) RBD Area + Organizational Unit
FVA: Enrich RBD Gate /IBS/ RBD_REPO (Not relevant) Relevant +Not relevant
RB_GATE_MODIFY
FVA: Update Run /IBS/RB_PWV_UPD RBD_EDIT (10) Relevant +Not relevant
FVA: Update Run (PPF) /IBS/ RBD_EDIT (10) Relevant +Not relevant
RB_PWV_UPD_PPF
Table 441: RBD Area Menu, Periodic Processing Folder
Transaction Object (Activity) RBD Area + Organizational Unit
IVA: Update Run - Past Analysis /IBS/ RBD_EDIT (10) Relevant + Relevant
RB_EWB_UPD
● IVA: Filling Report - Future Analy RBD_EDIT (02) Relevant + Relevant
sis /IBS/RB_IAS_FILL
● IVA: Update Run - Future Analy
sis /IBS/RB_IAS_UPD
● IVA: Update Run - Future Analysis
(PPF) /IBS/RB_IAS_UPD_PPF
● IVA: Unwinding Run - Future Analy
sis /IBS/RB_IAS_UPD_UNW
● IVA: Posting Run - Future Analy RBD_EDIT (10) Relevant + Relevant
sis /IBS/RB_IAS_POST
● IVA: Posting Run - Future Analysis
(PPF) /IBS/RB_IAS_POST_PPF
● IVA: Unwinding Posting Run - Fu
ture Analysis /IBS/
RB_IAS_POST_UNW
● IRP: Filling Report for ECF RBD_EDIT (02) Not relevant+Not relevant
Gate /IBS/RB_ECF_FILL
● IRP: Deletion Report for ECF Not relevant Not relevant+Not relevant
Gate /IBS/RB_ECF_CLEAR
● IRP: ECF Update Run /IBS/ RBD_EDIT (02, 10) Relevant +Not relevant
RB_ECF_UPDATE
● IRP: ECF Update Run (PPF) /IBS/
RB_ECF_UPD_PPF
● IRP: ECF Unwinding Run /IBS/
RB_ECF_UPD_UNW
● IRP: ECF Unwinding Run
(PPF) /IBS/RB_UNW_PPF
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 719Transaction Object (Activity) RBD Area + Organizational Unit
IRP: ECF Creation Process /IBS/ RBD_EDIT (02) Relevant +Not relevant
RB_ECF_A_CREATE
Table 442: RBD Area Menu, Administration Folder
Transaction Object (Activity) RBD Area + Organizational Unit
RBD: Assign Administrator /IBS/ RBD_EDIT (02) Not relevant+Not relevant
RB_ASSIGN_CO
RBD: Automatic Account Crea RBD_REPO (Not relevant) Relevant +Not relevant
tion /IBS/RB_ACC_CREATION
IVA: Initialization - Future Analy RBD_EDIT (02) Relevant + Relevant
sis /IBS/RB_IAS_UPD_INIT
IRP: ECF Initialization Run /IBS/ RBD_EDIT (02, 10) Relevant +Not relevant
RB_ECF_UPD_INIT
IRP: ECF Initialization (PPF) /IBS/ RBD_EDIT (02, 10) Relevant +Not relevant
RB_ECF_INIT_PPF
Table 443: RBD Area Menu, Impairment Processing Extension - Environment Folder
Transaction Object (Activity) RBD Area
Upload Files /IBX/FILE_UPLOAD /IBX/EDIT (60) Not relevant
Maintain Import Data /IBX/IMP_CHNG /IBX/EDIT (43, 60) Not relevant
Main Dialog /IBX/MAIN /IBX/EDIT (03, 10, 94) Not relevant
Restrict Data Selection /IBX/ Not relevant Not relevant
SELECTION
Table 444: RBD Area Menu, Impairment Processing Extension - Processes Folder
Transaction Object (Activity) RBD Area
Start Migration/IBX/MIGRATION /IBX/EDIT (10, 78, 93) Not relevant
Import CSV Files /IBX/IMPORT /IBX/EDIT (60) Not relevant
Refine Imported Data /IBX/ /IBX/EDIT (60, 93) Not relevant
IMP_REFINE
Delete Import Data /IBX/IMP_DELETE /IBX/EDIT (06) Not relevant
Start Impairment Categorization /IBX/ /IBX/EDIT (78) Not relevant
IC_ASSIGN
Security Guide for SAP S/4HANA 1709
720 P U B L I C SAP S/4HANA Business ApplicationsTransaction Object (Activity) RBD Area
Start Impairment Calculation /IBX/ /IBX/EDIT (93) Not relevant
CALCULATION
Delete Open Valuations /IBX/ /IBX/EDIT (69) Not relevant
VALUA_DELETE
Compress Open Valuations /IBX/ /IBX/EDIT (46) Not relevant
VALUA_COMPRESS
Transfer Simulated Valuations /IBX/ /IBX/EDIT (21) Not relevant
VALUA_TRANSFER
Display Logs /IBX/COCKPIT Not relevant Not relevant
Definition of Customer-Specific Roles
The following information is required for the definition of customer-specific roles:
● SAP logon names of all employees who are to work with RBD
● Relevant transactions that are to be executed in the respective role
● Relevant activities that are to be executed within the relevant transactions
● RBD areas and organizational units affected
To avoid having to define a separate role for each employee, we recommend that you form groups of employees
that are permitted to execute the same functions. You can then assign a defined role to all of the employees in the
group.
13.14.3.5.2 Network and Communication Security
Depending on the risk provision method used and analysis horizon, the Reserve for Bad Debt (FS-RBD)
application communicates with the following systems:
● SAP Loans Management for Banking, Suite Edition (FS-CML)
● SAP Deposits Management for Banking, Suite Edition (IS-B-BCA)
● SAP Deposits Management for Banking (FS-AM)
● SAP Collateral Management for Banking, Suite Edition (FS-CMS)
● SAP General Ledger Accounting (FI-GL)
Communication takes place using Remote Function Call (RFC).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 72113.14.3.5.2.1 Communication Destinations
For Remote Function Call (RCF) connections to SAP Deposits Management for Banking (FS-AM), technical users
are required.
These technical users require read authorization, for example, to read balances and account master data.
13.14.3.5.3 Trace and Log Files
Trace or log files are created during processing. These can contain security-relevant information such as master
data, balances, and flow data from source system contracts.
13.14.4 Higher Education and Research
13.14.4.1 Authorizations
The SAP ECC Industry Extension Higher Education & Research component uses the authorization
concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as
described in the SAP NetWeaver Security Guides also apply to the SAP ECC Industry Extension Higher
Education & Research component. The SAP NetWeaver authorization concept is based on assigning
authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when
using ABAP technology and the User Management Engine''s user administration console when using Java.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used by SAP Student Lifecycle Management (SLCM).
Table 445:
Role Description
Composite Roles
Security Guide for SAP S/4HANA 1709
722 P U B L I C SAP S/4HANA Business ApplicationsRole Description
SAP_CM_ADM_COORDINATOR Admission coordinator
SAP_CM_ADM_OFFICER Admission officer
SAP_CM_ASM_COORDINATOR Assessment coordinator
SAP_CM_ASM_OFFICER Assessment officer
SAP_CM_STREC_COORDINATOR Student records coordinator
SAP_CM_STREC_OFFICER Student records officer
Single Roles
SAP_CM_ACCOUNT_DATA_UPDATE Technical user for automatic update of student account data
after changes to account-relevant student master data
SAP_CM_ADMIN_ACAD_STRUCTURE Administrator for the academic structure (internal single role)
SAP_CM_ADMOFF_STUDYDATA Activities for the admission coordinator
SAP_CM_ADMREGDATA_DISP Display study data
SAP_CM_ALL
SAP_CM_ASMCO_ADDACT Additional activities for the assessment coordinator
SAP_CM_ASMDATA_DISP Display progression and grades
SAP_CM_ASMOFF_ACT Activities for the assessment officer
SAP_CM_STMASTERDATA_DISP Display student master data
SAP_CM_STMASTERDATA_MAINT Edit student master data
SAP_CM_STRCO_ADDACT Additional activities for the student records coordinator
SAP_CM_ASMDATA_DISP Display progression and grades
SAP_CM_ASMOFF_ACT Activities for the assessment officer
SAP_CM_STMASTERDATA_DISP Display student master data
SAP_CM_STMASTERDATA_MAINT Edit student master data
SAP_CM_STRCO_ADDACT Additional activities for the student records coordinator
SAP_CM_STROFF_ACT Activities for the student records coordinator
SAP_CM_MODULEBOOK Module booking (only up to release CM 4.72)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 723Role Description
SAP_CM_REGIST Activities for registration (only up to release CM 4.72)
SAP_CM_STUDENTMASTER Student master data processing (only up to release CM 4.72)
All of the above roles are automatically generated by the system.
Note
SAP_IQ_CAMPUS and SAP_CM_ALL are critical roles because they contain a comprehensive authorization for all
Student Lifecycle Management functions. The following roles are obsolete as of the SAP ECC Industry
Extension Higher Education & Research 6.0 release:
● SAP_IQ_CAMPUS
● SAP_CM_MODULEBOOK
● SAP_CM_REGIST
● SAP_CM_STUDENTMASTER
Standard PFCG Roles in SAP Student Lifecycle Management
If a user does not want to use the portal role, you can choose the PFCG role option. The SLCM application
provides the following PFCG roles:
Table 446:
Name of PFCG Role Relevance to NWBC Relevance to Portal Role
SAP_SR_ACADEMIC_ADVISOR_5 NWBC role for advisor Equivalent to the portal role Academic
Advisor
SAP_SR_UNIVERSITY_INSTRUCTOR_5 NWBC role for university instructor No equivalent portal role available
SAP_SR_STUDENT_5 NWBC role for student Equivalent portal role Student
Once you configured these roles you can access the applications attached to the role using SAP NetWeaver
Business Client. You can use these as entry points to the different applications that can be accessed by the
academic advisor, the instructor or the student.
Security Guide for SAP S/4HANA 1709
724 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
If a user does not want to use the portal role, you can choose the PFCG role option. The SLCM application
provides the following PFCG roles:
Table 447:
Authorization Object Description
P_CM_AUDCT Student Lifecycle Management: requirement catalogs
P_CM_AUDIT Audits
P_CM_AUDPR Requirement profile
P_CM_CORR Correspondence
P_CM_FCDOC Student accounting document
P_CM_PROC Activity
P_CM_UCAS Authorization Object Student Lifecycle Management UCAS
(only for Great Britain)
P_CM_UCASR Authorization Object Student Lifecycle Management UCAS
for Reports (only for Great Britain)
P_CM_NLPAY NL Payment Details Authorization Object
P_CM_NLVER NL Verification Authorization Object
Basic Authorizations in SAP Student Lifecycle Management
There are three important authorization objects within SLCM to simplify authorization assignment: :
● S_TCODE
S_TCODE checks whether a user is allowed to start a given transaction. Every time the user starts a menu
command or a transaction code using the command line, the roles assigned to the user are checked to see
whether the user has the authority to execute this transaction.
● PLOG
PLOG checks whether a user is allowed to read, write or insert specific HR Infotypes.
● P_CM_PROC
P_CM_PROC checks whether a user has the authority for a specific Student Lifecycle Management process.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 725Structural Authorizations in SAP Student Lifecycle Management
Structural authorizations enable you to define the set of objects the user is authorized to process. You determine
these objects using evaluation paths. For example, you can define whether the user receives a display
authorization or a maintenance authorization for these objects.
● Evaluation Paths
An evaluation path is an instruction for the system that determines which object types and relationships are
to be included in an evaluation of the organizational plan. It describes the chain of relationships that exist
between objects in a hierarchical structure. The report takes into account only the objects that lie along the
specified evaluation path.
● Organizational Structure
One or more relationships are then used as paths to evaluate structural information in your organizational
plan (relating to the organizational or reporting structures) or matrix organization. The sequence of the
relationships included in the evaluation path is decisive in how the results of the evaluation are displayed.
Note
As functions of other applications areas, for example, Training and Event Management, Notification Processing
or Student Accounting are integrated into SLCM, users also need authorizations for these areas.
Note
SLCM contains a number of single roles, which you can combine with the roles of other application areas to
create composite roles. You can either assign a composite role or individual roles to users.
Authorizations in Business Rule Framework plus (BRFplus)
To handle the BRFplus security, the standard authorizations are available in the BRFplus framework.
For more information, see application help for Business Rule Framework plus (BRFplus) in SAP Library for SAP
NetWeaver on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver 7.0 (2004s) SAP
Netweaver 7.0 including Enhancement Package 3 SAP NetWeaver SAP NetWeaver by Key Capability
Application Platform by Key Capability Business Services Business Rule Framework plus (BRFplus)
Concepts Authorizations
13.14.4.2 Deletion of Personal Data
Use
The student administration of the Student Lifecycle Management application might process data (personal
data) that is subject to the data protection laws applicable in specific countries as described in SAP Note
1825544. The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle
Security Guide for SAP S/4HANA 1709
726 P U B L I C SAP S/4HANA Business Applicationsincluding the storage, retention, blocking, and deletion of data. The Student Lifecycle Management (SLCM)
solution uses SAP ILM to support the blocking and deletion of personal data as described in the following sections.
SAP delivers an end of purpose check (EoP) for the students registered in the SLCM application. SAP delivers a
end-of-purpose check (EOP) for the blocking of business partner data if the SLCM application has a student linked
to a business partner. All applications register either an end of purpose check (EoP) in the Customizing settings
for the blocking and deletion of the business partner data or a where-used check (WUC). n.
You can use SAP Information Lifecycle Management (ILM) to control the blocking and deletion of personal data.
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at http://
help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. . This check determines whether data is still relevant for business activities based on
the retention period defined for the data. The retention period of data consists of the following phases:
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with legal
rules for retention, the data must still be available. In phase three, the relevant data is blocked. Blocking of data
prevents the business users of SAP applications from displaying and using data that may include personal data
and is no longer relevant for business activities. Blocking of data can impact system behavior in the following
ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data.
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data. For information about the configuration settings
required to enable this three-phase based end of purpose check, see the Process Flow and Configuration:
Simplified Blocking and Deletion.
End of Purpose Check (EoP) in SLCM
The end-of-purpose check for SLCM is a simple check to ensure data integrity in the event of potential blocking. It
checks whether there is any dependent data for a business partner that is a student in the SLCM application and
returns one of the following statuses:
● If the business partner is not a student the system returns status as ‘1’ (No business with business partner).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 727● If the business partner exists as a student in the SLCM system, then the system checks for the SORT (Start of
retention time), and depending on the date,returns the status ‘2’ (business is ongoing ) or ‘3’ (business is
complete).
The system does not block the business partner related to the student if the status is ''3'', business is ongoing .
Relevant Application Objects and Available Deletion Functionality
Table 448:
Application Detailed Description Provided Deletion Functionality
PSCM Student Lifecycle Management: Public HRIQ_ATTDNData Destruction in Stu
Sector Campus Management dent Lifecycle Management
Relevant Application Objects and Available EoP/WUC functionality
Table 449:
Application Implemented Solution (EoP or WUC) Further Information
PSCM EoP implemented EoP checks if the business for the stu
dent and related business partner is
complete or ongoing.
Process Flow
1. Before archiving data, you must first define residence time and retention periods in SAP Information
Lifecycle Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
3. You do the following:
○ Run transaction IRMPOL and enter the required retention policies for the central business partner (ILM
object: CA_BUPA).
○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner.
○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: HRIQ_STMD).
○ Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master in SAP ERP .
4. Business users can request unblocking of blocked data for customers, vendors and central business partners
by using the transaction BUP_REQ_UNBLK.
Security Guide for SAP S/4HANA 1709
728 P U B L I C SAP S/4HANA Business Applications5. 5.If you have the necessary authorizations, you can unblock data by running the transaction BUPA_PRE_EOP
and CVP_UNBLOCK_MD.
6. 6.You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SLCM.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management under Data Protection Authorization Managemen .
For more information, see the Customizing documentation.
● •Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner
13.14.4.3 Data Storage Security
Data Storage
The data for the application are saved in the database tables. Only the data for academic structure can come from
a file system, the security aspects of which is described in the next section. There is structural authorization and
role based authorization to control access to these data. For more information, see Authorizations.
Using Logical Path and File Names to Protect Access to the File System
The SAP Student Lifecycle Management applications save data in files in the file system. Therefore, provide
access to the corresponding files in the file system without allowing access to other directories or files (also
known as directory traversal). This is achieved by specifying logical paths and file names in the system that map
to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory
that does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by the Student Lifecycle Management
application and for which programs these file names and paths apply:
Logical File Names Used
The following logical file names have been created in order to enable the validation of physical file names:
● ISHER_WEBCATALOGXML
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 729○ Programs using this logical file name and parameters used in this context:
○ ◦RHIQ_XML_ACADSTRUC (XML Files of Academic Structure)
Logical Path Names Used
The logical file names listed above all use the logical file path ISHER_WEBCATALOG.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
13.14.4.4 Read Access Logging (Industry Applications)
Use
In Read Access Logging (RAL), you can configure which read-access information to log and under which
conditions.
Read access to personal data is partially based on legislation, and it is subject to logging functionality. The Read
Access Logging (RAL) component can be used to monitor and log read access to data and provide information
such as which business users accessed personal data (for example, fields related to bank account data), and
when they did so. In RAL, you can configure which read-access information to log and under which conditions.
SAP delivers sample configurations for applications. For more information, see the application-specific chapters
of the Security Guide.
You can display the configurations in the system by performing the following steps:
1. In transaction SRALMANAGER, on the Administration tab page, choose Configuration.
2. Choose the desired channel, for example, WebDynpro.
3. Choose Search.
The system displays the available configurations for the selected channel.
4. Choose Display Configuration for detailed information on the configuration. For specific channels, related
recordings can also be displayed.
Security Guide for SAP S/4HANA 1709
730 P U B L I C SAP S/4HANA Business ApplicationsPrerequisites
Before you can use the delivered RAL configurations, the following prerequisites are met:
● You are using:
○ SAP NetWeaver 7.1 SP0
○ AS ABAP 7.51
○ Kernel 7.45 SP21 and above
○ SAP_UI 7.51 (UI5 1.40)
● The RAL configurations have been activated.
● You have enabled RAL in each system client.
More Information
For general information on Read Access Logging, see the product assistance for SAP NetWeaver on SAP Help
Portal at Start of the navigation path http://help.sap.com/netweaverInformation SAP NetWeaver Library
Function-Oriented View System Security for SAP NetWeaver AS for ABAP Only
13.14.5 Professional Services
13.14.6 Commercial Project Inception and Lean Staffing
The following guide covers the information that you require to operate Commercial Project Inception and Lean
Staffing securely.
13.14.6.1 Introduction
Introduction
Note
This guide does not replace the administration or operation guides that are available for productive operations.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 731Target Audience
● Technology consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas
the Security Guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation on your system should not result in loss of information or processing time.
These demands on security apply likewise to Commercial Project Inception and Lean Staffing. To assist you in
securing Commercial Project Inception and Lean Staffing, we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to Commercial Project
Inception and Lean Staffing .
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
This section references to other Security Guides that build the foundation for this Security Guide.
● Authorizations
This section provides an overview of the authorization concept that applies to Commercial Project Inception
and Lean Staffing .
13.14.6.2 Before You Start
It is important that you read and understand the information contained in the Authorizations [page 733] section
that is specific to Commercial Project Inception and Lean Staffing. In addition, you should be aware of the
information listed in the table below:
Security Guide for SAP S/4HANA 1709
732 P U B L I C SAP S/4HANA Business ApplicationsTable 450: Fundamental Security Guides
Scenario, Application or Component Security Guide Most-Relevant Sections or Specific Restrictions
SAP NetWeaver Application Server SAP NetWeaver Security Guide - All sections
SAP ECC SAP ERP Central Component Security Guide - All sections
For a complete list of the available SAP Security Guides, see service.sap.com/securityguide on the SAP Service
Marketplace.
13.14.6.3 User Management and Authentication
SAP ECC Industry Extension Professional Services uses the user management and authentication mechanisms
provided with the SAP NetWeaver platform, particularly the SAP NetWeaver Application Server ABAP .
Consequently, the security recommendations and guidelines for user management and authentication that are
described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP ECC Industry
Extension Professional Services .
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,
but not those users under which background processing jobs run.
User type required for SAP ECC Industry Extension Professional Services is Dialog user. Dialog users are Individual
users used for SAP GUI for Windows.
13.14.6.4 Authorizations
Use
The business function Commercial Project Inception and Lean Staffing uses the authorization concept provided by
the SAP NetWeaver AS for ABAP. Therefore, the recommendations and guidelines for authorizations as described
in the SAP NetWeaver AS Security Guide ABAP also apply to Commercial Project Inception and Lean Staffing.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Standard Roles
The table below shows the standard roles that are used by Commercial Project Inception and Lean Staffing.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 733Table 451: Standard Roles
Role Description
SAP_SAWE_UNIVERSAL Maintenance of staff assignments and forecasts
SAP_CATS_LEAN_STAFFING Maintenance of cross-application time sheet (Web Dynpro ap
plication)
SAP_BC_EMPLOYEE Access to HCM data (for employee search, for example)
SAP_BPR_INT_SALES_REP_14 Maintenance of assignment objects of type “SD order”
SAP_PS_STRUCT Maintenance of assignment objects of type “project”
SAP_BC_ENDUSER Non-critical basis authorizations for all users
In addition, users must be assigned to:
● the authorization profile K_ORDER for the maintenance of assignment objects of the type “internal order”
● the authorization profile I_PM_ALL for the maintenance of assignment objects of the type “service order”.
Note
As the authorization profiles K_ORDER and I_PM_ALL comprise all available authorizations for internal orders
and service orders respectively, we recommend that you narrow the granted authorization range to suit your
specific requirements.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by Commercial Project Inception
and Lean Staffing.
Table 452: Standard Authorization Objects
Authorization Object Field Value Description
P_ORGIN and P_PERNR (Au INFTY 0002 The employee search in the
thorization check for HR info Lean Staffing application and
SUBTY
types) in the Lean Staffing reporting
AUTHC R lists only employees for
whose info type 0002 the
user has a read authorization.
PRS_LS_CUS (new) ACTVT 02, 03, 06 The system checks this au
thorization object when staff
assignments to customers
are made.
Security Guide for SAP S/4HANA 1709
734 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
V_PRS_LS_H (new) VKORG VBAK-VKORG The system checks this au
thorization object when staff
VTWEG VBAK-VTWEG
assignments to SD orders are
SPART VBAK-SPART made. The user must be au
KDGRP KNVV-KDGRP thorized for the sales area,
distribution channel, division,
KOSTL VBAK-KOSTL customer group and cost cen
ACTVT 02, 03, 06 ter of the SD order.
V_PRS_LS_I (new) PRCTR VBAP-PRCTR The system checks this au
thorization object when staff
ACTVT 02, 03, 06
assignments to SD orders are
made. The user must be au
thorized for the profit center
of the SD sales document
item.
C_PRPS_LS (new) PS_FKOKR PRPS-FKOKR The system checks this au
thorization object when staff
PS_FKSTL PRPS-FKSTL
assignments to WBS ele
PRCTR PRPS-PRCTR ments are made. The user
ACTVT 02, 03, 06 must be authorized for the
controlling area, cost center
and profit center of the WBS
element.
K_PRS_LS PRCTR AUFK-PRCTR The system checks this au
thorization object when staff
ACTVT 02, 03, 06
assignments to internal or
service orders are made. The
user must be authorized for
the profit center of the order.
PRS_LS_FC EMP_LEVEL Level 1, 2 or 3 See description below.
ACTVT 02, 03, 06
The authorization for staff assignments is based on the assignment object to which it refers; it is independent of
the employee for whom the assignment is made. As shown in the table above, different types of assignment
objects (SD order, project and so on) use different fields for this authorization.
The authorization for forecasting is based on the employee whose time is forecast; it is independent of the
assignment object for which it is made. There are several levels ( EMP_LEVEL) of authorization concerning the
employee:
● Level 1: The user is authorized to change and display own forecasts (the forecasts for the employee ID
contained in the user’s master record).
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 735● Level 2: The user is authorized to change and display forecasts for the members of his or her team (note that
level 2 does not necessarily imply level 1). The team is determined on the basis of the employee ID contained
in the user’s master record, as follows:
● The HCM organizational model is queried (current relationships according to info type 1001, subtype A008;
for details, see method CL_SAWE_API_PROVIDER_FC-> GET_TEAM_OF_EMP). The result of this query is the
same for managers and their assistants.
● You can influence the list of employee IDs returned by this query by adding or removing entries in an
implementation of the Business Add-In (BadI) SAWE_AUTHORITY_CHECK, method TEAM_OF_EMPLOYEE.
● If neither the HCM organizational model nor the BAdI implementation is used, the team does not contain any
employees.
● Level 3: The user is authorized to change and display forecasts for all employees.
The system checks both authorizations (authorization for staff assignments and authorization for forecasting) in
the following cases:
● ACTVT = ‘02’ (change): Checked when the Lean Staffing or Forecasting application is executed in the change
mode (this refers to the UI-based application and to the A2X Enterprise Services).
● ACTVT = ‘03’ (display): Checked when the Lean Staffing or Forecasting application is executed in the display-
only mode.
● ACTVT = ‘06’ (delete): Checked when the deletion of an assignment object triggers the deletion of its staff
assignments and forecasts (without further user interaction).
This is different from the deletion of individual entries in the Lean Staffing and Forecasting applications, because
users who are authorized to delete assignment objects (for example, SD order items) may need this
authorization, even if they do not have authorization to execute the Lean Staffing or Forecasting application.
The authorizations for reporting are based on the specific user group ‘SAWE’, which you can maintain using
transaction SQ03. Users who are authorized to analyze employee assignments, resource consumption, employee
utilization and skill utilization need to be assigned to this user group.
13.14.6.5 Data Storage Security
Use
Commercial Project Inception and Lean Staffing stores additional employee-related data besides data stored in
the HR Master Data database.
The following additional data can be stored in the respective objects (technical table names in parentheses):
• Employee assignment to projects, customer orders, or internal orders (SAWE_D_SA_HDR and
SAWE_D_SA_ITM).
• Employee forecast for the above-mentioned assignments, and also for generic assignments such as training
(SAWE_D_TIME_PS and SAWE_D_TIME_PSI).
For information about access to this data, see Authorization [page 733] .
For more information, see the product assistance for SAP S/4HANA on the SAP Help Portal at http://
help.sap.com/s4hana_op_1709 under Product Assistance Enterprise Business Applications Industries
SAP for Professional Services Lean Staffing Data Archiving in Lean Staffing
Security Guide for SAP S/4HANA 1709
736 P U B L I C SAP S/4HANA Business Applications13.14.6.6 Deletion of Personal Data
Use
The Lean Staffing (IS-PRS-LS) component might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 453:
Application Detailed Description Provided Deletion Functionality
Lean Staffing (IS-PRS-LS) For more information, see the product Archiving object SAWE_SA
assistance for SAP S/4HANA on the
ILM object SAWE_SA
SAP Help Portal at http://help.sap.com/
s4hana_op_1709 under Product Report
SAWE_SA_CLEAN_CANDIDATE_LIST
Assistance Enterprise Business
Applications Industries SAP for
Professional Services Lean Staffing
Data Archiving in Lean Staffing
Relevant Application Objects and Available EoP/WUC functionality
Table 454:
Application Implemented Solution (EoP or WUC) Further Information
Lean Staffing (IS-PRS-LS) End of Purpose (EoP) check Class registered for the EoP check:
CL_WUC_IS_PRS_LS_EOP_CHECK
For more information, see SAP note
2390575 .
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of customer and vendor master data in
Customizing for Logistics - General under Business Partner Deletion of Customer and Vendor Master Data .
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 73713.14.7 Public Sector
13.14.7.1 Finance
13.14.7.1.1 Public Sector Management
Data Storage
Using Logical Paths and File Names to Protect Access to the File System
Public Sector Management stores data in files in the file system. For this reason, it is important to be able to grant
access to the files in the file system explicitly without granting access to other folders or files (also known as folder
traversals). You do this in the system by entering logical paths and file names that are assigned to the physical
paths and file names. This assignment is validated during runtime, whereby an error message is issued whenever
a user tries to access a folder that does not correspond to a stored assignment.
The following lists provide an overview of the logical file names and paths that are used by Public Sector
Management and of the programs for which these file names and paths are valid:
Logical File Names Used in Public Sector Management
The logical file name PSM_EXECUTION_DATA_EXPORT has been created to enable the validation of physical file
names.
The program RFEXBLK0 uses this logical file name.
Logical Path Names Used in Public Sector Management
The above-mentioned logical file name uses the logical file path PSM_ROOT.
Activating the Validation of Logical Paths and File Names
These logical paths and file names are entered in the system for the corresponding programs. For reasons of
downward compatibility, validation is deactivated by default during runtime. To activate validation during runtime,
define the physical path using transactions FILE (across all clients) and SF01 (client-specific). To determine which
paths are used by your system, you can activate the relevant settings in the Security Audit Log.
Security Guide for SAP S/4HANA 1709
738 P U B L I C SAP S/4HANA Business Applications13.14.7.1.1.1 Funds Management
Standard roles for Funds Management (PSM-FM)
Table 455:
Role Name
SAP_IS_PS_CENTRAL_FUNCTION Funds Management Central Function
SAP_IS_PS_PO_CONSUMPTION Postings: Consume Funds
SAP_IS_PS_MD_STRUCTURE Master Data Funds Management: Maintain Structure
SAP_IS_PS_BCS_AVC_TOOLS Availability Control - Tools
SAP_IS_PS_BCS_BUD_TOOLS Budgeting - Tools
SAP_IS_PS_PO_RECONCILE Reconciling Data with Feeder Applications
SAP_IS_PS_BCS_BUD_MAINTENANCE Maintain Budget Data
SAP_IS_PS_BCS_BUD_PLANNING Plan Budget Data
SAP_IS_PS_BCS_DISPLAY Display Budget Values (BCS)
SAP_IS_PS_BCS_STATUS_MAINTAIN Budgeting – Assign Status
SAP_IS_PS_BCS_STRUCT_DEF Maintain Budget Structure
SAP_IS_PS_BCS_STRUCT_TOOLS Budget Structure - Tools
SAP_IS_PS_CASH_DESK Payment at Cash Desk
SAP_IS_PS_CF_CHECK Check Budget Closing
SAP_IS_PS_CF_OI_EXECUTE Carry Forward Consumable Budget
SAP_IS_PS_CF_OI_PREPARE Prepare Carryforward of Consumable Budget
SAP_IS_PS_MD_DISPLAY Funds Management Master Data: Display Functions
SAP_IS_PS_MD_ZUOB Funds Management Master Data: Assignment to CO Struc
tures
SAP_IS_PS_PO_COMMITMENTS Postings: Commit Funds
SAP_IS_PS_PO_CONSUMPTION_DISP Postings: Consumed Funds Display
SAP_IS_PS_PO_FOR Postings: Forecast of Revenue
SAP_IS_PS_PO_TRANSFERS Postings: Transfer Consumable Budget
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 739Role Name
SAP_FI_GL_REORG_MANAGER Reorganization Manager
SAP_FI_GL_REORG_OBJLIST_OWNER Object List Owner
Authorization objects for Funds Management (PSM-FM)
Table 456:
Authorization Object Name
F_FICB_FKR Cash Budget Management/Funds Management FM Area
F_FICB_VER Cash Budget Management/Funds Management Version
F_FICA_FOG Funds Management: Authorization Group of Fund
F_FICA_FSG Funds Management: Authorization Group for Funds Center
F_FICA_SEG Funds Management: Authorization Group for All Funds Cen
ters
F_FICA_SIG Funds Management: Authorization Group Internal Funds Cen
ters
F_FICA_FPG Funds Management: Authorization Group for Commitment
Item
F_FICA_TRG Funds Management: Authorization Groups of FM Acct Assign
ment
F_FMMD_FAR Funds Management: Functional Area (Authorization Group)
F_FMMD_MES Funds Management: Funded Program (Authorization Group)
F_FMMD_BPG F_FMMD_BPG
F_FMMD_FPG Funds Management: Funded Program Sets
F_FICA_FNG Funds Management: Fund Groups
F_FICA_FAG Funds Management: Function Groups
F_FICA_CIG Funds Management: Commitment Item Group
F_FICA_FCG Funds Management: Funds Center Groups
F_FMCA_SHE Clarification Worklist (FMSHERLOCK)
Security Guide for SAP S/4HANA 1709
740 P U B L I C SAP S/4HANA Business ApplicationsSee also the documentation for Funds Management on the SAP Help Portal at help.sap.com S/4 HANA
Accounting Public Sector Management Funds Management Authorizations .
Authorization objects of the Budget Control System (BCS)
Table 457:
Authorization Object Name
F_FMBU_ACC Budgeting: Account Assignment
F_FMBU_STA Budgeting: Status
F_FMBU_KYF Budgeting: Key Figure
F_FMBU_DOC Budgeting: Document Type
F_FMBU_VER Budgeting: Version and Budget Category
You can use the following BAdI to implement enhancements to the authorization concept:
Table 458:
BAdI Name
FM_AUTHORITY_CHECK Enhance Authorization Check in PSM-FM
13.14.7.1.1.2 Grants Management
Standard roles for Grants Management (PSM-GM)
Table 459:
Function Name Function
SAP_FI_GM_GRANT_ANALYST Grants Management: Grant Analyst M aster data maintenance, execution of
reports
SAP_FI_GM_GRANT_MANAGER Grants Management: Grant Manager New entry, check, and approval of mas
ter data, execution of billing program
SAP_FI_GM_PROGRAM_ANALYST Grants Management: Program Analyst Creation of master data, processing of
proposals and budget
SAP_FI_GM_PROGRAM_MANAGER Grants Management: Program Manager Check and approval of proposals and
budget
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 741Function Name Function
SAP_FI_GM_PROJECT_MANAGER Grants Management: Project Manager Management of grants and budget, exe
cution of reports
Authorization Objects for Grants Management (PSM-GM)
Table 460:
Authorization Object Name
F_FIGM_BUD Grants Management: Authority for Budget
F_FIGM_CLS Grants Management: Authority for Class
F_FIGM_GNG GM: Grant Groups
F_FIGM_GNT Grants Management: Authority for Grant
F_FIGM_PRG Grants Management: Authority for Programs
F_FIGM_SCG GM: Sponsored Class Groups
F_FIGM_SPG GM: Sponsored Program Groups
The master data objects and business processes of Grants Management are protected by standard authorization
objects.
US Federal Government uses the authorization concepts of the components that it deploys, such as Funds
Management and Material Management. See also the documentation for Funds Management on the SAP Help
Portal at help.sap.com SAP ERP Central Component Accounting Public Sector Management Funds
Management Authorizations .
You can use the following BAdI to implement enhancements to the authorization concept:
Table 461:
BAdI Name
GM_AUTHORITY_CHECK Grants Management: Authorization Check
GM_BILL_AUTHORITY GM: User Authorization for DP90 in GM
GM_POST_AUTHORITY Grants Management Coding Block Authority Check
13.14.7.1.1.3 Network and Communication Security
Public Sector Management communicates with:
● Human Capital Management (HCM) as part of the scenario Position Budgeting and Control
● Customer Relationship Management (CRM) as part of the scenario Grantor Management
Security Guide for SAP S/4HANA 1709
742 P U B L I C SAP S/4HANA Business ApplicationsThe communication with these internal SAP components takes place per Remote Function Call (RFC). See the
corresponding sections in the RFC/ICF Security Guide on SAP Service Marketplace at service.sap.com/
securityguide SAP NetWeaver Security Guide Security Aspects for Connectivity and Interoperability.
The US Federal Government has both payment and collection outbound interfaces at its disposal for Treasury
Confirmation and Intragovernment Payment and Collections (IPAC). This outbound interface uses payment
methods and flat files.
The inbound interface of the Central Contractor Registration (CCR) uses IDocs.
For registering portal users in the backend system, we recommend that the user is assigned in both the portal and
the backend system. In other words, the user ID of a user in the portal and the backend system should match.
13.14.7.1.1.4 More Security Information
Authorization checks only take place in Public Sector Management and Funds Management when the authorization
group of a master data object is entered. To ensure that an adequate check is carried out, SAP recommends that
you define the affected fields as required entry fields in the field status control. You define this setting in the
implementation guide of Public Sector Management:
● Funds Management-Specific Postings Earmarked Funds and Funds Transfers Field Control for
Earmarked Funds and Funds Transfers DefineField Status Variant /Assign Field Status Variant to
Company Code / Define Field Status Groups
● Actual and Commitment Update/Integration Integration MaintainField Status for Assigning FM Account
Assignments
For more information, see the documentation on Funds Management on the SAP Help Portal at help.sap.com
ERP Central Component Accounting Public Sector Management .
For Grants Management, note the following system settings in the implementation guide of Public Sector
Management,underFunds Management Government Master Data Grant
● GM Grant Control: Field Group for Authorizations
● Maintain Grant Authorization Types
● Maintain Grant Authorization Groups
13.14.7.2 Public Sector Collection and Disbursement
The following security chapter of SAP Public Sector Collection and Disbursement (PSCD) also applies security
information for SAP Tax and Revenue Management (TRM).
13.14.7.2.1 Authorizations
SAP Public Sector Collection and Disbursement (SAP PSCD) and SAP Tax and Revenue Management (SAP TRM)
uses the authorization concept provided by the SAP NetWeaver AS for ABAP or AS Java. Therefore, the
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 743recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
and SAP NetWeaver AS Security Guide Java also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles
The table below shows the standard roles that are used.
Table 462:
Role Description
SAP _FMCA_CA_ ALL Sample role including all transactions for SAP PSCD
SAP _FMCA_CA_ ALL _EHP5_TRM_NWBC Sample role for the SAP NetWeaver Business Client (NWBC)
for SAP TRM
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used for SAP PSCD.
Table 463:
Authorization Object Field Value Description
F_PSDO_BEG BEGRU 01 Document Generation PSCD Document: Authoriza
tion Group for Contract Object
02 Document Changes
03 Document Display
85 Reversal of Documents
and Resetting of a Clearing
F_PSDO_VGT PSOBTYP_PS 01 Document Generation PSCD Document: Contract Ob
ject Type Authorization
02 Document Changes
03 Document Display
85 Reversal of Documents
and Resetting of a Clearing
Security Guide for SAP S/4HANA 1709
744 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
F_PSOB_ATT AUTHTYP_PS 01 Create PSCD Contract Object: Au
thorization Types
02 Change
03 Display
* All Activities
F_PSOB_BEG BEGRU 01 Create or Generate PSCD Contract Object: Au
thorization Group
02 Change
03 Display
06 Delete
08 Display Change Docu
ments
F_PSOB_FDG FLDGR_PS 01 Create or Generate PSCD Contract Object: Field
Groups
02 Change
03 Display
F_PSOB_VGT PSOBTYP_PS 01 Create or Generate PSCD Contract Object: Object
Type Authorization
02 Change
03 Display
06 Delete
08 Display Change Docu
ments
64 Generate
F_FMCA_WOF ABGRD 10 Post PSCD Write Off: Approval for
Write-Off Reason
B5 Display History
F1 Approve
F_FMCA_WOM ACTVT For more information, see PSCD Write-Off: Authorization
transaction SU21. for Mass Approval
F_PSFA_SET F_PSFA_SET 01 Create or Generate PSCD Facts: Authorization for
Fact Sets
02 Change
03 Display
06 Delete
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 745Authorization Object Field Value Description
F_PSFA_TYP F_PSFA_TYP 01 Create or Generate PSCD Facts: Autorization for
Fact Set Parts
02 Change
03 Display
06 Delete
F_PSFA_CAT BEGRU 01 Create or Generate PSCD Facts: Authorization for
Fact Type Parts
02 Change
03 Display
06 Delete
F_FMCA_IPM F_FMCA_IPM F1 Approve PSCD Installment Plan: Au
thorization for Mass Approval
F_KKCOL ACTVT 01 Create or Generate PSCD Co-Liability: Authoriza
tion for Co-Liabilities
02 Change
03 Display
06 Delete
16 Execute
39 Check
AF Prompts
The following authorization objects are only relevant for customers who use SAP Tax and Revenue Management
(TRM) for Public Sector that is based on SAP Public Sector Collection and Disbursement (PSCD).
Table 464:
Authorization Object Field Value Description
F_PSFH_FVW FMCA_PHASE 01 Create or Generate TRM Object: Authorization for
Form Handling and Form View
02 Change
03 Display
06 Delete
F1 Approve
F_PSFH_ REV FMCA_ABTYP 01 Create or Generate TRM Object: Authorization for
Form Handling and Revenue
02 Change
Type
03 Display
06 Delete
F1 Approve
Security Guide for SAP S/4HANA 1709
746 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
F_PSFH_ACT ACTVT 01 Create TRM Object: Authorization for
Form Handling
02 Change
03 Read
F_PSFH_FBT FBTYP 01 Create or Generate TRM Object: Authorization for
Form Handling and Form Bun
02 Change
dle Type
03 Display
06 Delete
F1 Approve
F_PSFH_STA FMCA_FBSTA 01 Create or Generate TRM Object: Authorization for
From Handling and Status
02 Change
03 Display
06 Delete
F1 Approve
F_PSFH_ AMD AMD_ACTION 16 Execute TRM Object: Authorization for
Amendment Actions in the Tax
Officer Work Center
F_FMCA_RLT COREL_TYPE 01 Create or Generate TRM Object: Authorization for
Master Data Relationship Cat
02 Change
egory
03 Display
06 Delete
13.14.7.2.2 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
The Industry Solution Migration Workbench (ISMW) saves data in files in the file system. Therefore, it is important
to explicitly provide access to the corresponding files in the file system without allowing access to other
directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names
in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 747Logical File Names / Path Names Used
The Migration Workbench uses the logical file name ISMW_FILE with the logical file path ISMW_ROOT to enable the
validation of physical file names.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see about data storage security, see the respective chapter in the SAP NetWeaver Security
Guide.
13.14.7.3 Multichannel Foundation for Utilities and Public
Sector (Public Sector)
13.14.7.3.1 Internet Communication Framework Security (ICF)
You should only activate the services that are required by the applications running in your system.
The following services must be activated for Multichannel Foundation for Utilities and Public Sector:
● ERP_FMCA_MC (logon user/current user)
● ERP_FMCA_MC_PUBLIC_SRV
ERP_FMCA_MC_PUBLIC_SRV is to be used for the anonymous payment or anonymous form submission scenario
and needs to be linked to a predefined “SU01” user.
Use transaction SICF to activate these services. If your firewalls use URL filtering, also note the URLs used for the
services and adjust your firewall settings accordingly.
For more information about ICF security, see the relevant chapter in the SAP NetWeaver Security Guide.
13.14.8 Retail
Security Guide for SAP S/4HANA 1709
748 P U B L I C SAP S/4HANA Business Applications13.14.8.1 Network and Communication Security
The following information is relevant for specific SAP S/4HANA Retail solutions. For general information about
network and communication security in SAP S/4HANA, see Network and Communication Security [page 17].
Communication Paths for SAP Forecasting and Replenishment
For information about the security of communication paths for integration with SAP Forecasting and
Replenishment, see the Security Guide for SAP Forecasting and Replenishment on SAP Service Marketplace at
https://service.sap.com/securityguide under SAP Security Guides Industry Solutions SAP for Retail
SAP Forecasting and Replenishment .
Other Communication Paths for SAP S/4HANA Retail
The following table shows the communication paths for all remaining system connections for SAP S/4HANA
Retail solutions.
Table 465: Communication Paths for SAP S/4HANA Retail
Application Communication Path Protocol Used Type of Data Transfer Data Requiring Special
red Protection
Store physical inven SAP S/4HANA – store RFC (or other protocol Application data -
tory system that supports IDocs)
POS interface SAP S/4HANA – POS RFC (or other protocol Application data Credit card information
system that supports IDocs)
Interface to space man SAP S/4HANA – space RFC Application data -
agement systems optimization system
13.14.8.2 Authorizations in Retail
Note
For general information about the authorization concept used by SAP S/4HANA, see User Administration and
Authentication [page 13].
SAP S/4HANA Retail uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 749The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Standard Roles
The following table shows the standard roles that are used for SAP S/4HANA Retail for merchandise
management and in SAP S/4HANA for fashion and vertical business solutions.
Table 466:
Role Description
SAP_BR_ADMINISTRATOR_RFM Administrator (Retail)
SAP_BR_ALLOCATOR_RETAIL Allocator (Retail)
SAP_BR_ASSORT_SPECIALIST_RFM Assortment Specialist - Retail
SAP_BR_CAT_MAN_RFM Category Manager (Retail)
SAP_BR_DEMAND_PLANNER_RFM Demand Planner (Retail)
SAP_BR_MD_SPECIALIST_ITEM_RFM Master Data Specialist - Product Data (Retail)
SAP_BR_MD_SPECIALIST_SITE_RFM Master Data Specialist - Location Data (Retail)
SAP_BR_PRICING_SPECIALIST_RFM Pricing Specialist (Retail)
SAP_BR_PROMOTION_SPEC_RFM Promotion Specialist (Retail)
SAP_BR_PURCHASER_RFM Purchaser (Retail)
SAP_BR_RETAIL_STORE_ASSOCIATE Retail Store Associate
SAP_BR_RETAIL_STORE_MANAGER Retail Store Manager
SAP_BR_STORE_DESIGN_MGN_RFM Store Design Manager (Retail)
The following table shows the standard roles that are used for specific SAP S/4HANA for fashion and vertical
business solutions.
Table 467:
Role Description
SAP_BR_INTERNAL_SALES_REP_RET Internal Sales Representative (Retail)
SAP_BR_ORDER_FULFILLMNT_MNGR_R Order Fulfillment Manager (Retail)
Security Guide for SAP S/4HANA 1709
750 P U B L I C SAP S/4HANA Business ApplicationsStandard Authorization Objects
The following table shows the standard authorization objects that are used in SAP S/4HANA Retail and SAP S/
4HANA for fashion and vertical business solutions.
Table 468:
Authorization Object Description
W_ASORT Authorization for assortment maintenance
W_ASORT_ST Authorization for assigning assortments to plants
W_AUFT_BAA Authorization for allocation table type
W_AUFT_BAR Authorization for allocation rule type
W_AUFT_RMB Authorization for allocation table: Display/Reply per plant
W_FRM Authorization for merchandise distribution
W_GROUPTYP Authorization for managing site groupings
W_LISTVERF Authorization to use listing procedure
W_LIST_EAC Authorization to ignore listing errors
W_MARKDOWN Authorization for markdown planning: MTYP, MATCL, SOrg,
DChl
W_PRICATIN Authorization for creating and maintaining PRICAT per pur
chasing group
W_REF_SITE Authorization to clean MMSITEREF table
W_SRS_POS SAP Retail Store authorization for physical inventory in open
store
W_SRS_VKPF SAP Retail Store authorization for daily price maintenance
W_STRU_CHG Authorization to allow changes to structured materials
W_STWB_WRK SAP Retail Store authorization for store
W_VKPR_PLT Authorization for sales price calculation: Distribution channel/
price list
W_VKPR_VKO Authorization for sales price calculation: Distribution channel
W_VKPR_VTL Authorization for sales price calculation: Organizational level
distribution channel and various material groups
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 751Authorization Object Description
W_VKPR_WRK Authorization for sales price calculation: Distribution channel/
plant
W_WAKH_EKO Authorization for promotions: Purchasing organization/
purchasing group
W_WAKH_MAT Authorization for promotions: Material number
W_WAKH_THE Authorization for promotions: Theme
W_WAKH_VKO Authorization for promotions: Sales organization/distribution
channel
W_WBEF_WRK Authorization for sales price revaluation: Distribution chan
nel/plant
W_WIND_TYP Automatic journal entry adjustment: Authorization for journal
entry type
W_WTAD_AM Authorization for additionals monitor
W_WTAD_ASL Authorization for additionals: Supplier/purchase order list
W_WTAD_IR Request additionals IDoc via BAPI call function
W_WTAD_ISU Authorization for status update for additionals IDoc
WLM Assignment of articles for layout modules
WLMLOCLIST Creation of assortments per layout module and store
WLMVREL Release of layout module version
WLMVV Layout module version variants maintenance
WLWBENT Access to layout workbench
WPLGACT Call external space management
WRF_CDT_H Article hierarchy: Horizontal hierarchy maintenance
WRF_CDT_V Article hierarchy: Vertical hierarchy and attribute mainte
nance
WRF_FOLUP Authorization: Follow-up/Replacement material relationships
WRF_GH_AUT Generic hierarchy: Authorization check
W_BUDG_TY Budget type
W_RF_MPA Authorization for markdown profile assignment
Security Guide for SAP S/4HANA 1709
752 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Description
W_RF_WLAY Authorization for layout
C_WRFCHVAL Authorization for characteristic value maintenance
Additional Standard Authorization Objects for Fashion and Vertical Business
The following table shows the standard authorization objects that are used for specific SAP S/4HANA for fashion
and vertical business solutions.
Table 469:
Authorization Object Description
ARUN_WB Authorization for the order allocation run (ARun) workbench
ARUN_LOG Authorization for message logging during the order allocation
run
This authorization is required to perform the order allocation
run in online, batch, and parallel modes.
ARUN_ON Authorization for performing the order allocation run in online
mode
FSH_ATTRB Authorization for the maintenance of article attributes in fash
ion and vertical business (information)
ARUN_CCR Authorization for the consistency check report
C_SGTSETUP Authorization for segmentation setup
C_SGT_DEFT Authorization for default segmentation maintenance
SWB_DISPLA Authorization for Season Workbench
SWB_TREE Authorization to create/edit/delete the tree view in Season
Workbench
SWB_PUR_V Authorization to create/edit/delete the purchasing view in
Season Workbench
SWB_SALE_V Authorization to create/edit/delete the sales view in Season
Workbench
FSH_SRL Authorization for the stock/requirement list for fashion and
vertical business
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 753Authorization Object Description
SWB_PROD_V Authorization to create/edit/delete the production view in
Season Workbench
FSH_ITAARN Authorization for the Insight to Action report
FSH_COD Authorization to create/edit/delete cut-off dates
FSH_DPR Authorization to create/generate/change distribution curve
FSH_QDP Authorization to create/generate/change quantity distribu
tion profile
FSH_MRK Authorization to create/change/display marker information
RFM_PSST Authorization for PSST: Grouping rules and groups
13.14.8.3 Deletion of Personal Data in Retail
SAP S/4HANA Retail solutions might process data (personal data) that is subject to the data protection laws
applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking
and deletion of personal data. For more information, see the product assistance for SAP S/4HANA on SAP Help
Portal at https://help.sap.com/viewer/product/SAP_S4HANA_ON-PREMISE/. Choose a version and then go to
Product Assistance Cross Components Data Protection .
Relevant Application Objects (Data) and Available Deletion Functionality
Table 470:
Application Application Objects Provided Deletion Functionality
Allocation Application-specific data used in the fol Transaction WA09
lowing transactions:
WA01
WA02
WA03
WA04
WA08
WA30
WA35
Security Guide for SAP S/4HANA 1709
754 P U B L I C SAP S/4HANA Business ApplicationsApplication Application Objects Provided Deletion Functionality
Alternate Historical Data Application-specific data used in the fol Transaction MAHD4 can be used to delete
lowing transactions: entries in the Alternate Historical Data
MDRD1 - MDRD3 tables.
MAHD1 - MAHD3 Transaction MDRD4 can be used to delete
delivery relationships.
Article Discontinuation Application-specific data used in the fol ILM object MM_MATNR
lowing transactions:
WRF_DIS_SEL
WRF_DIS_MON
Assortment Application-specific data used in the fol Transaction WSOA4 can be used to delete
lowing transactions: assortments.
WSOA1 Transactions WSOA2/WSOA6 can be used
WSOA2 to delete assortment users (customers).
WSOA3
WSO1
WSO2
WSO3
WSO4
WSO5
Tables:
WRSZ
WLK1
WSOH
Assortment List Application-specific data used in the fol Assortment List Reorganization: report
lowing transactions: RWDPOSRS
WDBM_HPR
WJB5
WBBS
WBBS_ALV
Automatic Document Adjustment Transactions MEI1 - MEI5 ILM object MM_EKKO
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 755Application Application Objects Provided Deletion Functionality
Investment Buying Application-specific data used in the fol Report RWFWW_DELETE_CUSTOMERS
lowing transactions:
WLB1
WLB2
WLB6
Load Building Application-specific data used in the fol Report RWVLB_DELETE_LOGTABLES
lowing transactions:
WLB4
WLB5
WLB7
WLBA
WLBB
WLB13
Merchandise Distribution Application-specific data used in the fol Transaction WA40 can be used to de
lowing transactions: leteFRET entries that have status
WF10 Completed.
WF10A
WF20
WF30
WF60
WF70
Planning Workbench Transaction WWP1 For non-application-specific data, func
tionality is provided by other relevant ap
plications.
POS Interface – Inbound For non-application-specific data, func
tionality is provided by other relevant ap
plications.
POS Interface – Monitor Deletion reports RWPUDTST and
RWPUDLST
POS Interface – Outbound For non-application-specific data, func
tionality is provided by other relevant ap
plications.
Security Guide for SAP S/4HANA 1709
756 P U B L I C SAP S/4HANA Business ApplicationsApplication Application Objects Provided Deletion Functionality
Price Catalog Processing – Inbound W_PRICAT_MAINTAIN Reports:
W_SYNC W_PRICAT_DELETE (Delete Inbound
Price Catalogs)
W_PRICAT_DELPOS (Delete PRICAT
Items)
Price Planning Workbench Reports for the deletion of budgets and
price plans:
RWRF_PPW_BUDG_DELETE
RWRF_PPW_PPD_DELETE
RWRF_PPW_PPD_DELETE_DIRECT
Destruction object:
RWRF_PPW_PPD_DESTRUCTION
Promotions Table WALE ILM objects:
Transaction WAK5 W_PROMO_AD
W_MARKDOWN
Replenishment Application-specific data used in the fol ILM object MM_MATNR
lowing transactions:
WRMO
WR60
Sales Price Calculation Application-specific data used in the fol ILM object W_KALK
lowing transactions:
VKP1-VKP8
VKPB
Site Master Transactions WB01-WB03 ILM object WS_ACSITE
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 757Application Application Objects Provided Deletion Functionality
Subsequent Settlement Application-specific data used in the fol ILM object SD_AGREEM
lowing transactions:
MEB2
MEB3
MEB5
MEB6
MEB8
MEB9
MEBS
MEBB
MEBV
MEB7
MEU3
Tickets and Additionals Application-specific data used in the fol ILM object WTADDI
lowing transactions:
WTAM
WTR1
Vendor Managed Inventory Application-specific data used in the fol Report RWVMI_DELETE_EDMMS
lowing transactions:
WVM1
WVM2
WVM3
WVM4
Relevant Application Objects and Available Deletion Functionality Provided by
Other Applications Used by SAP S/4HANA Retail solutions
● Sales
For information, see Deletion of Personal Data [page 374].
● Sourcing and Procurement
For information, see Deletion of Personal Data [page 396].
● Customer and supplier master data
For information, see Deletion of Personal Data [page 462].
Security Guide for SAP S/4HANA 1709
758 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Areas and Available EoP/WUC Functionality
Table 471:
Application Solution Implemented for Application- Further Information
Specific Data
Allocation End of purpose (EoP) check CL_ALLOCATION_CV_EOP_CHECK
CVP_IF_APPL_EOP_CHECK~CHECK_PAR
TNERS
Alternate Historical Data not applicable Tables do not contain any customer or
supplier data.
Article Discontinuation not applicable For non-application-specific data, func
tionality is provided by Sourcing and
Procurement.
Assortment not applicable An end of purpose (EoP) check is not
provided because customer and supplier
numbers used in the tables do not indi
cate any business relationships.
Assortment List not applicable An end of purpose (EoP) check is not
provided because supplier numbers
used in the tables do not indicate any
business relationships.
Automatic Document Adjustment not applicable For non-application-specific data, func
tionality is provided by Sourcing and
Procurement.
Investment Buying not applicable For non-application-specific data, func
tionality is provided by Sales.
Load Building not applicable For non-application-specific data, func
tionality is provided by Sales.
Merchandise Distribution End of purpose (EoP) check CL_ALLOCATION_CV_EOP_CHECK
CVP_IF_APPL_EOP_CHECK~CHECK_PAR
TNERS
Planning Workbench not applicable For non-application-specific data, func
tionality is provided by Sales.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 759Application Solution Implemented for Application- Further Information
Specific Data
POS Interface – Inbound not applicable POS interface uses documents that al
ready exist in other SAP applications.
These documents can be archived using
the relevant archiving objects and de
leted using the solutions (and end of
purpose (EoP) checks) provided by the
other SAP applications.
An end of purpose (EoP) check for Cus
tomizing is not provided because part
ner information is stored anonymously
in Customizing tables.
POS Interface – Monitor not applicable POS interface uses documents that al
ready exist in other SAP applications.
These documents can be archived using
the relevant archiving objects and de
leted using the solutions (and end of
purpose (EoP) checks) provided by the
other SAP applications.
POS Interface – Outbound not applicable POS interface uses documents that al
ready exist in other SAP applications.
These documents can be archived using
the relevant archiving objects and de
leted using the solutions (and end of
purpose (EoP) checks) provided by the
other SAP applications.
An end of purpose (EoP) check for log
tables is not provided because partner
information is not shown in the applica
tion at this time, a deletion report exists,
and there is no business need to archive
the log status of data preparation.
Price Catalog Processing – Inbound End of purpose (EoP) check CL_PRICAT_EOP_CHECK_CV
CVP_IF_APPL_EOP_CHECK~CHECK_PAR
TNERS
Price Planning Workbench not applicable An end of purpose (EoP) check is not
provided because supplier numbers in
pricing documents represent supply
source information but do not indicate
any business relationship to the supplier.
Security Guide for SAP S/4HANA 1709
760 P U B L I C SAP S/4HANA Business ApplicationsApplication Solution Implemented for Application- Further Information
Specific Data
Promotions End of purpose (EoP) check CL_PROMOTION_CV_EOP_CHECK
CVP_IF_APPL_EOP_CHECK~CHECK_PAR
TNERS
Replenishment not applicable For non-application-specific data, func
tionality is provided by Sourcing and
Procurement.
Sales Price Calculation not applicable An end of purpose (EoP) check is not
provided because supplier numbers in
pricing documents represent supply
source information but do not indicate
any business relationship to the supplier.
Site Master Where-used check (WUC) CL_T001W_WUC
Subsequent Settlement End of purpose (EoP) check CVP_SD_EOP_CHECK_MM_REBATE
Tickets and Additionals not applicable For non-application-specific data, func
tionality is provided by Sourcing and
Procurement.
Vendor Managed Inventory not applicable For non-application-specific data, func
tionality is provided by Sourcing and
Procurement.
Configuration: Simplified Blocking and Deletion
● You define the settings or authorization management in Customizing for Cross-Application Components
under Data Protection Authorization Management .
For more information, see the Customizing documentation.
● You configure the settings the related to the blocking and deletion of customer and supplier master data in
Customizing for Logistics - General under Business Partner Deletion of Customer and Supplier Master
Data .
13.14.8.4 Payment Card Security According to PCI-DSS
Note
The Payment Card Industry Data Security Standard (PCI-DSS) was jointly developed by major credit card
companies in order to create a set of common industry security requirements for the protection of cardholder
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 761data. Compliance with this standard is relevant for companies processing credit card data. For more
information, see the official website of the PCI Security Standards Council at https://
www.pcisecuritystandards.org .
This section of the security guide supports you in implementing payment card security aspects and outlines steps
that need to be considered to be compliant with the PCI-DSS.
Please note that the PCI-DSS covers more than the following steps and considerations. Complying with the PCI-
DSS lies completely within the customer’s responsibility, and we cannot guarantee the customer’s compliance
with the PCI-DSS.
For current information about PCI-DSS, see also SAP Note 1609917 .
PCI-relevant POS (Point-of-Sale) sales can be processed in SAP S/4HANA Retail for merchandise management
for financial postings and inventory management. Depending on the configuration of the POS solution, the data
transferred to SAP S/4HANA Retail for merchandise management can contain credit card information that needs
to be handled according to the PCI Standard. In this case, the card data has to be encrypted during inbound
processing. The relevant asynchronous communication methods are the IDocs with the message type WPUBON
(Upload Sales Documents per Receipt), and message type WPUTAB (Upload End-of-Day Closing POS).
For more information about Archiving, RFC Debugging, Forward Error Handling (FEH) and Card Verification
Values (CVV), see Payment Card Security According to PCI-DSS [page 80].
Interfaces (IDoc/Services)
Note
Note that IDoc segments cannot store credit card numbers in clear text due to the PCI security standard
compliance. Once an IDoc is being processed within the IDoc Framework, all values are temporarily stored,
including the clear text credit card number.
For more information about how to process customer-specific IDocs containing credit card information, see
the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies
Security Guide ALE (ALE Applications) Handling Sensitive Data in IDocs in SAP NetWeaver Release 7.50.
Encryption/Decryption and Storage of the Encrypted Number
IDoc Encryption/Encryption process: IDoc data records are sent to the BAdI implementation
IDOC_PCI_ENCR_IM that is used for the PCI DSS inbound IDoc encryption. The process of encrypting the credit
card number starts by identifying the segment with credit card information in the IDoc record structure. The data
from the relevant segments E1WPZ02 and E1WPB06 is mapped to the internal record structure in order to retrieve
the card GUID, the name of the credit card institution number, and the credit card number. After this, the security
level of the credit card institution is verified in Customizing:
● If the security level is set to 2, the credit card number is encrypted.
● If the security level is set to 1, the credit card number is masked.
The card GUID and the encryption type are mapped to the structure for decryption and a message is displayed
that informs the user whether the encryption was successful. After this, the final check for consistency is
performed.
Security Guide for SAP S/4HANA 1709
762 P U B L I C SAP S/4HANA Business ApplicationsDecryption process: The process of decrypting the credit card number starts by identifying the segment in the
IDoc record structure that contains the credit card information. The data from the relevant segments E1WPZ02
and E1WPB06 is mapped to the internal record structure in order to retrieve the card GUID, the type of encryption,
and the credit card number. The encryption type is set to the fixed value 2. The credit card number is decrypted
and a message is displayed that informs the user whether the encryption was successful.
● The BAdI implementation name for PCI DSS inbound IDoc decryption is IDOC_PCI_DECRYPTION_IM.
● One of the IDoc database encryption/decryption (IDOC_DATA_MAPPER, IDOC_DATA_CRYPTION)is called
before saving to the IDoc database and the other after reading from it.
Customizing
Maintain the following settings in Customizing:
● The basic settings for payment cards: In Customizing for SAP Customizing Implementation Guide under
Cross-Application Components Payment Cards Basic Settings Assign Checking Rule .
● The settings for the encryption save mode: Define whether existing GUIDs for credit cards are reused. The
default setting is set to reuse the existing GUID. You can adapt the default with a customer-specific BAdI
implementation, using the enhancement spot ES_WPOS_PCA_SECURITY and the BAdI definition
WPOS_PCA_SECURITY.
● The security settings for the credit card institute: In Customizing for SAP Customizing Implementation Guide
under Cross-Application Components Payment Cards Basic Settings Make Security Settings for
Payment Cards . For an example for security settings for payment cards, refer to the following entries:
○ Security Level:Masked Display and Encrypted When Saved
○ Access Log: Logging of unmasked display
○ Visible Characters for Masking:
At start: 4
At end: 4
● The settings for masking the credit card number: In the customizing table of the transaction
WECRYPTDISPLAY, maintain the settings for the Assignment of Encrypted Segment field as follows:
○ Message Type: WPUBON
○ Segment Type: E1WPB06
○ Field Name: KARTENNR
and
○ Message Type: WPUTAB
○ Segment Type: E1WPZ02
○ Field Name: KARTENNR
13.14.9 Utilities
13.14.9.1 Authorizations
The way that authorization management is organized within a company depends on factors such as the size of the
company and its organizational structure, amongst others. Authorization management must be tailored to each
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 763company''s specific requirements and processes. SAP Utilities uses the authorization concept provided by SAP
NetWeaver for Application Server ABAP. Therefore, the recommendations and guidelines for
authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply. The SAP
NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The following table provides an overview of the authorization objects available for SAP Utilities, sorted by
component:
Table 472:
Component Authorization Object Description
Regional Structure E_REGIOGRP Authorization Object for Regional Struc
ture Group
Scheduling E_PORTION Authorization Object for Portion
Master Data E_CONTRACT Authorization Object for IS-U Contract
E_CUST_CHG Authorization Object for Maintaining
Sample Customers in IS-U
E_GRID Authorization Object for Grid.
E_INSTLN Authorization object for utility installa
tion.
E_INSTLN2 Authorization Object for Utility Installa
tion – IDEX
E_INSTFACT Installation Facts
E_LOYALACC Authorization Object for Loyalty Account
E_NBSERVI2 Authorization Object for Point of Deliv
ery Service – IDEX
E_NBSERVIC Authorization Object for Point of Deliv
ery Service
Security Guide for SAP S/4HANA 1709
764 P U B L I C SAP S/4HANA Business ApplicationsComponent Authorization Object Description
E_POD Authorization Object for Point of Deliv
ery
E_POD2 Authorization Object for Point of Deliv
ery Transaction – IDEX
E_PREMISE Authorization Object for Premise
E_PROPERTY Authorization object for owner alloca
tion.
Device Management E_CERTIFCT Authorization Object for Device Certifi
cation
E_CONNOBJ Authorization Object for Connection Ob
ject
E_CRFC_CHG Authorization Object for Changing Cer
tification in Device Category
E_DEV_CHNG Authorization Object for Device Modifi
cation
E_DEV_PREL Authorization Object for Changing Vali
dation Relevance of Devices
E_DEV_REL Authorization Object for Device Relation
ships
E_DEVGRP Authorization Object for Device Group
E_DEVLOC Authorization Object for Device Loca
tions
E_INST_REM Authorization Object for Installation, Re
moval, and Replacement
E_LOG_REG Authorization Object for Logical Regis
ters
E_METER_RR Authorization Object for Meter Reading
Results
E_MR_DOC Authorization Object for Meter Reading
Documents and Orders
E_MR_DOC1 Authorization Object for Meter Reading
Documents and Orders
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 765Component Authorization Object Description
E_MR_DOC2 Authorization Object for Meter Reading
Documents w.r.t. Company Code
E_MRD_UNIT Authorization Object for Meter Reading
Unit
E_REG_REL Authorization Object for Register Rela
tionships
E_SAMP_LOT Authorization Object for Sample Lot
E_SEAL_IN Authorization Object for Seal Manage
ment
Energy Data Management E_EDM_PRF2 Authorization Object for Processing
EDM Profiles – IDEX
E_EDM_PROF Authorization Object for Processing
EDM Profiles
E_EDM_SETT EDM Settlement
E_INSTLN3 Authorization Object for Profile Alloca
tion in Utility Installation
E_PROF_IMP Authorization Object for Profile Import
to IS-U EDM
Billing E_B_BIL_PL Authorization Object for Budget Billing
Plan
E_BILL_CL Authorization Object for Billing Class
E_DEV_RATE Authorization Object for Rate Data
E_DISCOUNT Authorization Object for Discount/
Surcharge
E_INSTCALC Authorization Object for Asynchronous
Formula Instance Calculation
E_OPERAND Authorization Object for Operands
E_PRESCL Authorization Object for Price Adjust
ment Clause
E_PRICE1 Authorization Object for Price
E_PRICEUPL Authorization Object for Importing Pri
ces from Excel
Security Guide for SAP S/4HANA 1709
766 P U B L I C SAP S/4HANA Business ApplicationsComponent Authorization Object Description
E_RATE Authorization Object for Rate
E_RATE_CAT Authorization Object for Rate Category
E_RATE_DET Authorization Object for Rate Determi
nation
E_SCHEMA Authorization Object for Schema
E_TRIGGER Authorization Object for Billing Order
E_VARIANT Authorization Object for Variants
Invoicing E_INVOICE Authorization Object for Invoicing Con
tract Accounts
Contract Accounts Receivable and Paya E_DEREG_WO Authorization Object for Write-Off in De
ble regulation Scenarios
Customer Service E_DISC_DOC Authorization Object for Disconnection
Document for Installation
E_ISUEBPP Authorization Object for Activities
(ISU_ABPP)
E_MOVE_IN Authorization Object for Move-In
E_MOVE_OUT Authorization Object for Move-Out
E_PRDOC Authorization Object for Parked Docu
ment
E_REDEMPTN Authorization Object for Redemption
Intercompany Data Exchange E_DRGSCEN Authorization Object for Supply Sce
nario
E_DTX_TASK Authorization Object for Processing
Data Exchange Tasks
E_IDE_CHKT Authorization Object for IDE Check
Framework Tool for Deregulation
E_INV_DOC Authorization Object for Bill Receipt
Document or Payment Advice Note
E_INV_ETHI Authorization Object for Aggregated
Posting to Contract Account of Service
Provider
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 767Component Authorization Object Description
E_SERVPROV Authorization Object for Service Pro
vider
E_SWTDOC Authorization Object for Switch Docu
ment
Advanced Metering Infrastructure E_AMI_EM Authorization Object for IS-U Event Man
agement
E_AMI_IN Authorization Object for AMI Inbound
Confirmation Methods
E_AMI_MON Authorization Object for AMI Monitoring
E_AMI_MSG Authorization Object for Sending Mes
sages
E_AMI_OPST Authorization Object for Operational
State of Advanced Meter
E_AMI_SMDS Authorization Object for AMI Simplified
Master Data Synchronization
E_DISC_AMI Authorization Object for Remote Discon
nection
E_MDUSCONF Authorization Object for MDUS Configu
ration
E_TSCALC Authorization Object for Time Series
Calculation
EAMI_CO_IN Authorization Object for Inbound Confir
mation
ETOUEXCEPT Authorization Object for TOU Exceptions
ETOUEXRESP Authorization Object for TOU Exception
Responses
To display the standard authorization objects for SAP Utilities in your system, proceed as follows:
1. In the SAP menu, choose Tools Administration User Maintenance Authorizations and Profiles
Edit Authorizations Manually
(transaction SU03).
2. Select object class IS_U (Industry Solutions – Utilities) and choose List Authorizations.
Security Guide for SAP S/4HANA 1709
768 P U B L I C SAP S/4HANA Business Applications13.14.9.2 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
The Industry Solution Migration Workbench (ISMW) saves data in files in the file system. Therefore, it is
important to explicitly provide access to the corresponding files in the file system without allowing access to other
directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names
in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is
requested to a directory that does not match a stored mapping, then an error occurs.
Logical File Names / Path Names Used
The Migration Workbench (ISMW) uses the logical file name ISMW_FILE with the logical file path ISMW_ROOT to
enable the validation of physical file names.
Activating the Validation of Logical Path and File Names
These logical paths and file names are specified in the system for the corresponding programs. For downward
compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain
the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which
paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see about data storage security, see the respective chapter in the SAP NetWeaver
Security Guide.
13.14.9.3 Enterprise Services Security
For general information, see the chapters on Web Services Security in the SAP NetWeaver Security Guide. For
Utilities-specific processes, during which system-to-system communication (A2A communication) takes place
within a system landscape and processes that prepare for market communication with other market participants
as part of intercompany data exchange, note the following:
Note
If, as part of your company-specific processes, you have communication interfaces with other systems, you
must also take their recommended security measures into account.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 769A2A Communication Within a System Landscape
During A2A communication, data is exchanged between an SAP system and an external system. This
communication is based on enterprise services and can flow via a PI system as a data hub or directly between the
respective systems (point-to-point). As identifying parameters, the SAP system uses internal values (such as the
profile number) or parameters that are generally understood in the market (such as external point of delivery IDs).
For information about the security measures relevant to A2A communication, see the SAP NetWeaver Security
Guide. The authorization objects of the respective transactions provide these processes with additional security.
Market Communication in Intercompany Data Exchange
As part of intercompany data exchange, messages are sent from an SAP Utilities system to a PI system or a
comparable upstream system to prepare for market communication with other market participants. The
messages are then converted into a universally valid market format and sent on to other systems. As identifying
parameters, the SAP system uses values that are generally understood in the market (such as external point of
delivery IDs). Communication can take place using enterprise services or IDocs (ALE communication).
For more information about the necessary security measures, see the SAP NetWeaver Security Guide. The
authorization objects of the respective transactions provide these processes with additional security.
13.14.9.4 Deletion of Personal Data
SAP Utilities might process data that is subject to the data protection laws applicable in specific countries as
described in SAP Note 1825544 .
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. SAP Utilities uses SAP ILM to support the deletion of personal
data. SAP delivers end of purpose checks for SAP Utilities-specific objects.
End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases.
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked. Blocking
of data prevents the business users of SAP applications from displaying and using data that may include
personal data and is no longer relevant for business activities.
Security Guide for SAP S/4HANA 1709
770 P U B L I C SAP S/4HANA Business ApplicationsBlocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check,
see Process Flow and Configuration: Simplified Blocking and Deletion.
Integration with Other Solutions
The end of purpose checks for SAP Utilities are based on those of the Contract Accounts Receivable and Payable
(FI-CA) solution. You use transaction FPDPR1 in the SAP menu under Contract Accounts Receivable and
Payable Periodic Processing For Data Protection Check If Business Partner Can Be Blocked to check for
which business partners the end of purpose has been reached.
SAP Utilities is also integrated with SAP Sales and Distribution (SD) and SAP Customer Relationship Management
(CRM). Cross-system and cross-application end of purpose checks exist in both cases.
If, for example, a business partner is used in SAP Utilities (as part of SAP ERP) and in SAP CRM, the end of
purpose checks cover both applications so that data for a blocked business partner cannot be accessed in either
application.
Relevant Application Objects and Available Deletion Functionality
SAP Utilities uses SAP ILM to support the deletion of personal data. For more information, see the documentation
for Information Lifecycle Management.
Relevant Application Objects and Available EoP Functionality
The following end of purpose checks exist:
● Check for open contracts without any open items in their contract account
● Check if all invoicing documents have been printed
● Check if all billing documents have been invoiced
● Check if business partner is used in a franchise fee contract
● Check if business partner is used in a loyalty account
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 771● Check if business partner is used as a service provider
● Check if business partner is used as an owner
● Check for open disconnection documents for business partner
● Check if business partner is used in role ISUI (installer)
● Check for open error messages for business partner in CRM replication monitoring
The checks for the SAP Utilities-specific object types are included in the enhancement spot
ISU_DPP_EOP_CHECK. For more information, see the documentation for the Business Add-Ins in the system.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available
3. You do the following:
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA).
○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner.
○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK)
○ Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master in SAP ERP.
○ Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
○ If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP
and CVP_UNBLOCK_MD
○ You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SAP Utilities.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management under Data Protection Authorization Management
For more information, see the Customizing documentation.
● Define the settings for blocking under Data Protection Blocking and Unblocking Business Partner
13.14.9.5 Read Access Logging
The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide
information such as which business users accessed personal data, for example, of a business partner, and in
which time frame.
In RAL, you can configure which read-access information to log and under which conditions. SAP delivers sample
configurations for applications. In order to use these configurations, save the ZIP attachments from the SAP Note
Security Guide for SAP S/4HANA 1709
772 P U B L I C SAP S/4HANA Business Applications2370371 . Extract these ZIP files and import the RAL configurations using the import function for configurations
in transaction SRALMANAGER.
SAP Utilities logs bank account and social security number.
For more information about Read Access Logging, see the System Security for SAP NetWeaver AS for ABAP Only
guide. You can find this guide using the search at https://help.sap.com/viewer/p/SAP_NETWEAVER_750
13.14.9.6 SAP Waste & Recycling
13.14.9.6.1 Authorizations
Standard Roles
No standard roles are delivered.
Standard Authorization Objects
The tables below show the security-relevant authorization objects, its descriptions, values and detailed
descriptions of its value-ranges.
All Authority Objects
Table 473:
Authorization Object Description
E_BULKY Authorization Object for Bulk Waste Maintenance IS-U Waste
E_CLEAN Authorization Object of IS-U Waste Property
E_CONNOBJ Authorization Object for Connection Object
E_DEVGRP Authorization object for Device Group
E_DEVLOC Authorization Object for Device Locations
E_ELOCDC Authorization Object for Allocating Notes to Container Loc.
E_ELOCEO Auth. Object for Allocating Waste Disposal Obj. to Container
Loc.
E_GCONTRAC Authorization for Guarantor Contract
E_OBJADDR Authorization Object for Object Address
E_PROPERTY Authorization Object for Owner Allocation
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 773Authorization Object Description
E_ROB Authorization Object for Cleaning Object
E_ROUTE Authorization Object for Route Maintenance
E_SERVADDR Authorization Object for Service Address
E_SERVFREQ Authorization Object for Service Frequency
E_SERVLOC Authorization Object for Container Location
E_WDPLANT Authorization Object for Waste Disposal Facility
E_WEIGHCST Authorization Object for Weighing Connection Customizing
E_WEIGHOFL Authorization Object for Offline Weighing
E_WEIGHPRO Authorization Object for Weighing Procedure
E_WORKAREA Authorization Field for WDOC –– Work Areas
Authority Objects and Values
Table 474:
Authorization Object Field Description
E_BULKY ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_CLEAN ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_CONNOBJ ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_DEVGRP ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_DEVLOC ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_ELOCDC ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
Security Guide for SAP S/4HANA 1709
774 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Description
E_ELOCEO ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_GCONTRAC ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_OBJADDR ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU -----------------
Checktable TBRG
Authorization Group
----------------- -----------------
SWERK Checktable T001W Maintenance Plant
E_PROPERTY ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_ROB ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_ROUTE ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_SERVADDR ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
----------------- -----------------
SWERK Checktable T001W Maintenance Plant
E_SERVFREQ ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
ISU_EWAOBJ -----------------
Service object (see table be
low) Service Frequency Object
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 775Authorization Object Field Description
E_SERVLOC ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
BEGRU Checktable TBRG -----------------
Authorization Group
E_WDPLANT ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_WEIGHCST ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_WEIGHOFL ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_WEIGHPRO ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
E_WORKAREA ISU_ACTIVT 1-9 (see table below) Activity regarding authoriza
tion in IS-U
----------------- -----------------
ISU_EWAWA -----------------
Checktable
EWA_WDOC_WAREA Waste Disposal Order Cock
pit: Work Area
Ranges of Values from Authority Object ISU_ACTIVT
Table 475:
Value Range Description
1 Display
2 Change
3 Create
4 Delete
5 Change History
6 Reverse
7 Check
8 Execute
9 Display in List
Ranges of Values from Authority Object ISU_EWAOBJ
Security Guide for SAP S/4HANA 1709
776 P U B L I C SAP S/4HANA Business ApplicationsTable 476:
Value Range Description
AREA Property
BEH Container
ROB Cleaning Object
ROUTE Route
SERVLOC Container Location
SDORDER Sales Document
ANLAGE Container Allocation
BULK Bulk Waste
13.14.9.6.2 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For SAP
Waste and Recycling the service EHWV_WASTE is needed. Use the transaction SICF to activate the service.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information about Internet Communication Framework Services, see the SAP NetWeaver 7.5
Connectivity guide. You can find this guide by searching for Activating and Deactivating ICF Services
at https://help.sap.com/viewer/p/SAP_NETWEAVER_750.
13.14.9.6.3 Deletion of Personal Data
SAP Waste and Recycling might process data that is subject to the data protection laws applicable in specific
countries as described in SAP Note 1825544.
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. SAP Waste and Recycling uses SAP ILM to support the deletion
of personal data as described in the following sections.
SAP delivers an end of purpose check and WUC for SAP Waste and Recycling.
All applications register either an end of purpose check (EoP) in the Customizing settings for the blocking and
deletion of the customer, vendor and central business partner.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 777End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases:
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked.
Blocking of data prevents the business users of SAP applications from displaying and using data that may
include personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data.
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check,
see Process Flow and Configuration: Simplified Blocking and Deletion.
Integration with Other Solutions
In the majority of cases, different installed applications run interdependently as shown in following graphic.
Relevant Application Objects and Available Deletion Functionality
SAP Utilities uses SAP ILM to support the deletion of personal data. For more information, see the documentation
for Information Lifecycle Management at https://help.sap.com.
Table 477: Deletion Functionality
Application Description Deletion Functionality
Transaction EWAORDER Standard application for changing waste ILM object ISU_EORDER
disposal orders
Security Guide for SAP S/4HANA 1709
778 P U B L I C SAP S/4HANA Business ApplicationsApplication Description Deletion Functionality
Transaction EWAWA01 Standard application for maintaining sin ILM object ISU_WPROC
gle position weighing processes
Transaction EWAWA_MULTI Standard application for maintaining ILM object ISU_MWPROC
multi position weighing processes
Transaction ELOC Maintaining service time slices for con ILM Object ISU_SERVFQ
tainers
Relevant Application Objects and Available EoP/WUC Functionality
The following end of purpose checks exist:
● Check for customer and vendor assignments for waste disposal facilities
● Check for partner assignment of bulky orders
The checks for the SAP Waste and Recycling object types can be enhanced in the enhancement spot
EEWA_BF_DPP. For more information, see the documentation for the Business Add-Ins in the system.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available.
3. You do the following:
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central
business partner (ILM object: CA_BUPA).
○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business
partner.
○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: ISU_ROUTE, ISU_SERVFQ, ISU_WPROC).
○ Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master in SAP ERP.
4. Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and
CVP_UNBLOCK_MD.
6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of .
For information about how to configure blocking and deletion for , see
Configuration: Simplified Blocking and Deletion.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 779Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management in under Data Protection Authorization Management. For
more information, see the Customizing documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner .
13.14.9.7 Multichannel Foundation for Utilities and Public
Sector
13.14.9.7.1 Authorizations
The Multichannel Foundation for Utilities and Public Sector solution uses the authorization concept provided by
the SAP NetWeaver Application Server for ABAP.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application
Server ABAP Security Guide also apply to the Multichannel Foundation for Utilities and Public Sector solution. The
SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator transaction on the Application Server ABAP (AS ABAP).
Reference Role Templates and Authorizations in SAP CRM
You create a reference user (UMC_REF_USR) during system installation. The reference user provides the
necessary authorizations for each online user. This means the reference user can access data in the back end
systems and Gateway.
PFCG role templates (SAP_CRM_UMC_ODATA and SAP_ISU_UMC_ODATA for SAP CRM and SAP S/4HANA,
respectively) are delivered with SAP CRM and SAP S/4HANA, which can be used (together with role templates
delivered by Gateway, for example, /IWBEP/RT_USS_INTUSR) to create the PFCG role for the reference user.
Reference Role Templates and Authorizations in SAP S/4HANA
For SAP S/4HANA, the PFCG role template (SAP_ISU_UMC_ODATA) is delivered with the SAP S/4HANA system,
which can be used together with role templates delivered by Gateway, for example, /IWBEP/RT_USS_INTUSR to
create the PFCG role for the reference user.
Security Guide for SAP S/4HANA 1709
780 P U B L I C SAP S/4HANA Business ApplicationsService Role Templates and Authorizations in SAP CRM
In addition to the reference user, you create a service user (UMC_SRV_USR) during installation. The service user is
responsible for creating the application users. Since the service user is used for anonymous logon, the user
should be granted minimum authorizations.
PFCG role templates (SAP_CRM_UMC_SRV and SAP_ISU_UMC_SRV for SAP CRM and SAP S/4HANA, respectively)
are delivered in SAP CRM and SAP S/4HANA systems, which can be used (together with role templates delivered
by Gateway, for example, /IWBEP/RT_USS_SRVUSR) to create the PFCG role for the service user.
For more information, see the SAP Help Portal at:http://help.sap.com/nwgateway SAP Gateway Security
Guide Authorizations in the SAP System Roles in the SAP Gateway Landscape .
Service Roles and Authorizations in SAP S/4HANA
For SAP SAP S/4HANA, the PFCG role template SAP_ISU_UMC_SRV is delivered in SAP S/4HANA system, which
can be used together with role templates delivered by Gateway, for example, /IWBEP/RT_USS_SRVUSR to create
the PFCG role for the service user.
Creating and Assigning Roles in SAP CRM
To create the required users (UMC_SRV_USR, UMC_REF_USR), you must perform the following steps in SAP S/
4HANA, SAP CRM, and the Gateway systems.
Note
In role maintenance, choose Utilities Templates to display the available templates, copy templates
delivered by SAP, change the copies, and create templates for yourself. You will need the authorization User
Master Record Maintenance: User Groups (S_USER_GRP) with value * in the fields CLASS and ACTVT. SAP
template names start with the letter S; therefore, templates that you create must not start with S.
You require administrator authorizations to create roles and users, and to assign roles to users.
1. Create a role and enter a description.
2. Insert the authorizations using the role templates.
Depending on the system and the role type, you can combine different role templates; see the following table:
Table 478:
Templates SAP CRM System SAP S/4 HANA System Gateway
UMC_SRV_USR SAP_CRM_UMC_SRV SAP_ISU_UMC_SRV /IWFND/RT_GW_USR
/IWBEP/RT_USS_SRVUSR /IWBEP/RT_USS_SRVUSR /IWBEP/RT_USS_SRVUSR
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 781Templates SAP CRM System SAP S/4 HANA System Gateway
UMC_REF_USR SAP_CRM_UMC_ODATA SAP_ISU_UMC_ODATA /IWBEP/RT_USS_INTUSR
/IWBEP/RT_USS_INTUSR /IWBEP/RT_USS_INTUSR
Note
Add additional required authorization objects /IWFND/SRV, S_SECPOL and S_TCODE
3. You must manually add authorization object CRM_IUPROC to the reference user in the SAP CRM system. The
recommendation is to add activity 16 (execute) on all the processes (*) as shown below:
4. Verify and edit the authorizations, if necessary.
For the UMC_SRV_USR, check role access to the following services (authorization object: S_SERVICE):
○ Activate OData Services in the Gateway system.
○ CRM_UTILITIES_UMC_URM (SAP CRM and Gateway)
○ CRM_UTILITIES_UMC_PUBLIC_SRV (SAP CRM and Gateway)
○ /IWBEP/USERMANAGEMENT (SAP CRM and Gateway)
For the UMC_REF_USR, check role access to the following services (authorization object: S_SERVICE):
○ Activate OData Services in the Gateway system.
○ CRM_UTILITIES_UMC (for SAP CRM system and Gateway)
○ ERP_UTILITIES_UMC (for SAP S/4HANA system and Gateway)
○ /IWBEP/USERMANAGEMENT (for SAP CRM system and Gateway)
This is especially true when some function enhancements are carried out.
5. Generate the authorizations.
A profile is automatically generated for the role.
6. Assign the role to users (UMC_SRV_USR, UMC_REF_USR) and run a user master comparison to enter the
generated profile into the user master record.
Creating and Assigning Roles in SAP S/4HANA
To create the required users (UMC_SRV_USR, and UMC_REF_USR), you must perform the following steps in SAP S/
4HANA and the Gateway systems.
Note
In role maintenance, choose Utilities Templates to display the available templates, copy templates
delivered by SAP, change the copies, and create templates for yourself. You will need the authorization User
Master Record Maintenance: User Groups (S_USER_GRP) with value * in the fields CLASS and ACTVT. SAP
template names start with the letter S; therefore, templates that you create must not start with S.
You require administrator authorizations to create roles and users, as well as to assign roles to users.
1. Create a role and enter a description.
2. Insert the authorizations using the role templates.
Security Guide for SAP S/4HANA 1709
782 P U B L I C SAP S/4HANA Business ApplicationsDepending on the system and the role type, you can combine different role templates; see the following table:
Table 479:
Templates SAP S/4HANA System Gateway System
UMC_SRV_USR SAP_ISU_UMC_SRV /IWFND/RT_GW_USR
/IWBEP/RT_USS_SRVUSR /IWBEP/RT_USS_SRVUSR
UMC_REF_USR SAP_ISU_UMC_ODATA /IWBEP/RT_USS_INTUSR
/IWBEP/RT_USS_INTUSR
Note
Add additional required authorization objects /WFND/SRV, S_SECPOL and S_TCODE
3. Verify and edit the authorizations, if necessary.
For the UMC_SRV_USR, check role access to the following services (authorization object: S_SERVICE):
○ ERP_UTILITIES_UMC_URM (SAP S/4HANA and Gateway)
○ /IWBEP/USERMANAGEMENT (SAP S/4HANA and Gateway): This only applies to the standalone SAP ERP
scenario
For the UMC_REF_USR, check role access to the following services (authorization object: S_SERVICE):
○ ERP_UTILITIES_UMC (for SAP S/4HANA system and Gateway)
○ /IWBEP/USERMANAGEMENT (for SAP S/4HANA system and Gateway)
This is especially true when some function enhancements are carried out.
4. Generate the authorizations.
A profile is automatically generated for the role.
5. assign the role to users (UMC_SRV_USR, UMC_REF_USR) and run a user master comparison to enter the
generated profile into the user master record.
Related Information
Gateway Security Guide
See http://help.sap.com/nwgateway
User and Role Administration for SAP NetWeaver AS for ABAP
See http://help.sap.com/netweaver under Identity Management
Authorization Templates
See http://help.sap.com/netweaver , under System Administration Tasks Authorizations Maintaining
Authorizations
Setting up Authorizations with Role Maintenance
See http://help.sap.com/netweaver , under System Administration TasksAuthorizationsMaintaining
Authorizations
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 78313.14.9.7.2 Internet Communication Framework Security (ICF)
Security for the Multichannel Foundation for Utilities and Public Sector solution consists of SAP Gateway OData
services and HTML5/SAP UI5-based Web-enabled content managed by the Internet Communication Framework
(ICF) (transaction SICF).
You must activate the ICF services required for the applications you want to use.
Note
You can also activate these services during the technical configuration.
The Multichannel Foundation for Utilities and Public Sector solution relies on the following services in SAP CRM:
● UMCUI5: An HTML5/SAP UI5-based Web-enabled interface to access the OData services
● CRM_UTILITIES_UMC: OData services from the SAP CRM system
● CRM_UTILITIES_UMC_URM: Multichannel Foundation for Utilities and Public Sector extension of the SAP
Gateway USERREQUESTMANAGEMENT OData service
● CRM_UTILITIES_UMC_PUBLIC_SRV: Anonymous OData Service for products in SAP CRM
● ERP_UTILITIES_UMC_URM (logon user UMC_SRV_USR): OData services from the SAP S/4HANA system
In addition, the application also uses service USERMANAGEMENT from SAP Gateway.
The Multichannel Foundation for Utilities and Public Sector ERP stand-alone solution relies on the following
services:
● ERP_ISU_UMC (logon user/current user): Multichannel Foundation for Utilities and Public Sector extension of
the Gateway USERREQUESTMANAGEMENT OData Service
● ERP_UTILITIES_UMC: OData services from the SAP S/4HANA system
● ERP_ISU_UMC_PUBLIC (logon user UMC_SRV_USR)
In addition, the application also uses the service USERMANAGEMENT from SAP Gateway.
Related Information
RFC/ICF Security Guide
See http://help.sap.com/netweaver under SAP NetWeaver 7.0 Including Enhancement Package 1 SAP
NetWeaver Security Guide Security Guides for Connectivity and Interoperability .
13.14.10 SAP for Insurance
Note that the following security information applies to SAP Claims Management (FS-CM) only and not to other
SAP for Insurance solutions.
Security Guide for SAP S/4HANA 1709
784 P U B L I C SAP S/4HANA Business Applications13.14.10.1 SAP Claims Management
13.14.10.1.1 Authorizations
SAP Claims Management uses the authorization concept provided by the SAP NetWeaver for Application Server
ABAP. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.
For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Standard Roles
SAP Claims Management uses the following PFCG roles:
Table 480:
PFCG Role Description
SAP_ICL_CLAIM_HANDLER Role for claim handling
SAP_ICL_CLAIM_VIEWER Role for claim display
SAP_ICL_CLAIM_CUSTOMIZING Role for customizing
SAP_ICL_CLAIM_AUTHORIZATION Role for payments, reserves, subrogation
SAP_ICL_CLAIM_PROCUREMENT Role for procurement
SAP_ICL_CLAIM_BATCH Role for background processing
SAP_BR_INS_CLAIMS_HANDLER Role for general claim handling particularly using backend
transactions
SAP_BR_INS_CLAIMS_SUPERVISOR Role for claim processing team overview
SAP_BR_INS_CUSTOMER_SERVICE Role for claim creation
SAP Claims Management uses the following portal roles:
Table 481:
Portal Role Description
Claim Center Agent (Insurance) The portal role is delivered in Business Package for Center
(com.sap.pct.isins.ccagent.claim_center_agent) Agent (Insurance) 1.30.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 785Portal Role Description
Claim Handler (Insurance) This portal role has the additional authorization to create and
(com.sap.pct.isins.clmhandl.claim_handler) release payments up to a specific amount. The amount is de
fined in Customizing of the backend system.
The portal role is delivered in Business Package for Claim
Handler (Insurance) 1.30.
The following Web Dynpro ABAP applications are embedded in these portal roles:
● Claims Search: icl_wd_claimsearchapp_ui
● Claims Summary: icl_wd_claimsummary_ui
● Post Proc FROI (Post Processing of First Report of Injury): icl_wd_postprocfroi_ui
Standard Authorization Objects
General List
You can find a list with all standard authorization objects in the SAP Help Portal at http://help.sap.com/
insurance-cm under Application Help Claims Management Claim Administration of the Claims
Management System Authorizations in the Claims Management System .
Authorization Objects for Use of Enterprise Search
You can find the relevant authorization objects in the in the SAP Help Portal at http://help.sap.com/insurance-cm
under Application Help Claims Management Claim Administration of the Claims Management System
Search Using Enterprise Search , chapter Integration.
Authorization Objects for Use of BRFplus
You can find the relevant authorization objects in the in the SAP Help Portal at http://help.sap.com/insurance-cm
under Application Help Claims Management Claim Structuring Business Processes Business Rule
Framework plus (BRFplus) Authorizations for Using BRFplus .
13.14.10.1.2 Data Storage Security
Using Logical Path and File Names to Protect Access to the File System
SAP Claims Management save data in files in the file system. Therefore, it is important to explicitly provide access
to the corresponding files in the file system without allowing access to other directories or files (also known as
directory traversal). This is achieved by specifying logical paths and file names in the system that map to the
physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that
does not match a stored mapping, then an error occurs.
Security Guide for SAP S/4HANA 1709
786 P U B L I C SAP S/4HANA Business ApplicationsThe following list shows the logical file names and paths used by SAP Claims Management and for which
programs these file names and paths apply:
Logical File Names Used in SAP Claims Management
The following logical file names have been created in order to enable the validation of physical file names:
● ICLVEH
○ Program using this logical file name and parameters used in this context: ICL_VEHCATALOG_UPLOAD
○ Customizing path: SAP Insurance Claims Management Claim Business Settings Damaged
Objects/Diagnoses Damaged Objects/Injured Persons Import Catalog for Insured Objects
● ICLDIAG
○ Program using this logical file name and parameters used in this context: ICL_DIAG_UPLOAD
○ Customizing path: SAP Insurance Claims Management Claim Business Settings Damaged
Objects/Diagnoses Damaged Objects/Injured Persons Diagnoses Import Diagnosis Groups and
Diagnoses
● ICLSUPPL
○ Program using this logical file name and parameters used in this context: ICL_ICLCLAIMDATA_UPLOAD
● ICLDI
○ Program using this logical file name and parameters used in this context: ICL_DATA_UP_DOWNLOAD
Activating the Validation of Logical Path and File Names
These logical paths and file names, as well as any subdirectories, are specified in the system for the
corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To
activate the validation at runtime, maintain the physical path using the transactions FILE (client-independent)
and SF01 (client-specific). To find out which paths are being used by your system, you can activate the
corresponding settings in the Security Audit Log.
13.14.10.1.3 Data Protection
13.14.10.1.3.1 User Consent
It is the responsibility of insurance companies themselves to obtain the consent of all of their business partners
with regard to the use of their personal data.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 78713.14.10.1.3.2 Read Access Logging
In Read Access Logging, you can configure which read-access information to log and under which conditions. In
the following table, you can find the configurations (shipped with SAP Claims Management), the fields are logged,
and the relevant business context:
Table 482:
Configuration Fields Logged Business Context
ICL_SSN ● Tax Number Category (field SAP Claims Management logs tax data.
TAXTYPE in for instance table
ICLC_ICL_BP_MINI_SCREEN-) Note
● Business Partner Tax Number In the Mini Business Partner the tax
(TAXNUM) number is only logged if the user has
selected the tax number category
US1.
ICL_BANK ● Bank details ID (BKEXT) SAP Claims Management logs bank ac
● Bank country key (BANKS) count data.
● Bank Key (BANKL)
● Bank account number (BANKN)
● IBAN (IBAN)
ICL_HEALTH The fields in the following categories are SAP Claims Management logs health
logged: data.
● Claim item groupings and the rele
vant items with subclaim type, cov
erage, coverage type, benefit type,
benefits catalog
● Diagnosis
● Procedures
● Tooth notation and eyeglass pre
scription
● Level of care
● Suspension of care
● Insured persons and claimant
● Facts capture
● Payments
For Read Access Logging of health data, you have to activate specific views in Customizing for SAP Insurance
under Claims Management Claim Technical Settings Data Protection Read Access Logging Activate
Specific Views for Read Access Logging .
13.14.10.1.3.3 Deletion of Personal Data
SAP Claims Management might process data (personal data) that is subject to the data protection laws applicable
in specific countries. You can use SAP Information Lifecycle Management (ILM) to control the blocking and
Security Guide for SAP S/4HANA 1709
788 P U B L I C SAP S/4HANA Business Applicationsdeletion of personal data. For more information, see the product assistance for SAP S/4HANA on the SAP Help
Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 483:
Application Object Provided Deletion Functionality
Archiving of Claims ILM Object ICLCLAIM (see SAP Note 1976123 )
(Archiving Object ICLCLAIM) )
Archiving of Claim Bundles ILM Object ICLECCEVT (see SAP Note 1976123 )
(Archiving Object ICLECCEVT)
Archiving of Subclaims ILM Object ICLSUBCL
(Archiving Object ICLSUBCL)
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management in Customizing for Cross-Application Components under
Data Protection Authorization Management . For more information, see the Customizing
documentation.
● Define the settings for blocking in Customizing for Cross-Application Components under Data Protection
Blocking and Unblocking Business Partner .
You configure the settings related to the blocking and deletion of customer master data in Customizing for SAP
Insurance under Claims Management Claim Technical Settings Archiving .
13.14.10.1.3.4 Change Log
In order to log personal data in FS-CM, you can use the following standard function of FS-CM:
● Log of changes in a claim and in a claim bundle
When you are processing a claim or a claim bundle, you can view a structured overview showing the changes
in the relevant claim or claim bundle. To call up the structured change overview, choose Tools Claim
Changes (Overview) in claim processing, or Tools Bundle Changes (Overview) in claim bundle
processing. In the next dialog screen you see the overview tree with the changes that have been made.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 789For more information, see Application Help of SAP Claims Management under Claim Administration of
the Claims Management System Display of Changes in Claim and Claim Bundle .
Note
Changes of business partner data will be locked in the business partner system since business partner data
cannot be locked in FS-CM.
13.14.10.2 SAP Statutory Reporting for Insurance
13.14.10.2.1 Deletion of Personal Data in FS-SR
Use
The Statutory Reporting (FS-SR) might process data (personal data) that is subject to the data protection laws
applicable in specific countries. The business partners in the statutory reports can only be legal entities (in
German: juristische Personen), not natural persons. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data in the applications providing the data, for example, in Loans
Management (FS-CML). For more information, see the product assistance for SAP S/4HANA on the SAP Help
Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross Components Data Protection .
In FS-SR, business partner data can only be deleted manually, using deletion reports.
Relevant Application Objects and Available Deletion Functionality
Table 484:
Application Object Detailed Description Provided Deletion Functionality
Ledger Data Table For more information, see SAP Note ● Transaction ISSR_NB2
2304306 . ● Transaction ISSR_MIG5
Stored List Transaction ISSR_OUT_ALV
Business Partner Change List Transaction ISSR_DEL_CNS_GPCH
Security Guide for SAP S/4HANA 1709
790 P U B L I C SAP S/4HANA Business Applications13.14.11 Oil and Gas
13.14.11.1 Upstream Operations Management
13.14.11.1.1 Authorizations
SAP Oil & Gas uses the authorization concept provided by the SAP NetWeaver AS for ABAP. Therefore, the
recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP
also applies.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Standard Roles - Backend
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
In Oil & Gas, PFCG delta roles are used to access content in the application. To make the end-user role complete
these roles must be used along with other roles delivered by SAP. Example roles are included in the table below.
These roles are designed to support your IS-OIL business processes. The following roles are delivered:
Software Component IS-PRA
Table 485:
Role Description
SAP_UPS_ALLOC_RES_APP SAP Upstream Allocation Results
SAP_UPS_ALLOC_STAT_APP SAP Upstream Network Allocation Status
SAP_UPS_BULKUPLOAD_APP SAP UPS Upload Production Data
SAP_UPS_DEFER_EVT_APP SAP Upstream View Deferment Events Application Role
SAP_UPS_DEFER_RES_APP SAP Upstream Analyze Deferment Application Role
SAP_UPS_DEFER_WOEVT_APP SAP Upstream Deferment Events for Work Orders Application
Role
SAP_UPS_DTIMPORT SAP Upstream Operations Management Data Import Role
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 791SAP_SR_UOM_S4 NWBC Upstream Operations Management Role
SAP_UPS_FC_ACCESS_APP SAP UOM Manage Access
SAP_UPS_FC_CALFCST_APP SAP UOM Calculate Forecast
SAP_UPS_FC_GTHDATA_APP SAP UOM Gather Data
SAP_UPS_FC_MNGPROJ_APP SAP UOM Manage Projects
SAP_UPS_FC_RESULTS_APP SAP UOM View Forecasting Results
SAP_UPS_FDC_APP SAP Upstream Field Data
SAP_UPS_FIXERRORS_APP SAP Upstream Fix Errors
SAP_UPS_MNGHIER_APP SAP UPS Manage Hierarchy
SAP_UPS_FC_APFCST_APP SAP UOM Approve and Publish Forecast
Roles and Standard Authorization Objects
Deferment
Roles
● SAP_UPS_DEFER_EVT_APP: SAP Upstream View Deferment Events Application Role
● SAP_UPS_DEFER_RES_APP: SAP Upstream Analyze Deferment Application Role
● SAP_UPS_DEFER_WOEVT_APP: SAP Upstream Deferment Events for Work Orders Application Role
Authorization Objects
The table below shows the security-relevant authorization objects used in the Deferment area of Upstream
Operations Management product in SAP Oil & Gas:
Security Guide for SAP S/4HANA 1709
792 P U B L I C SAP S/4HANA Business ApplicationsTable 486:
Authorization Object Field Value Description
GHO_ALLOC GHO_ACTVT (Activity in Op 01 Allocation Run/Results Authorization Object for OPM
erations Performance) Activities
02 Allocation Rules
03 Capture Measurements
(Actual, Plan, Theoretical)
04 Well Test / PQ Curve
05 Chemical Analysis
06 Prior period notification
07 Maintenance Retrieval Hi
erarchy
08 Simulation / Planning
09 Reset prior period notifica
tion
10 Deferment App Result
11 Allocation App Result
12 FDC App Deferment Event
13 Allocation Pre-Processing
14 Deferment Event Mainte
nance
15 Deferment Event Mainte
nance for Work Orders
GHO_D_EVT ACTVT (Activity) 01 Create or generate Authorization Objects for De
ferment Events
02 Change
03 Display
06 Delete
GHO_STATUS (UOM Record APRD Approved
Status)
EROR Error
PROV Provisional
PUBL Published
REDY Default Audit Compari
son Record
VERF Verified
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 793Authorization Object Field Value Description
GHO_NO ACTVT (Activity) 01 Create or generate Authorization Object for Net
work Objects
02 Change
03 Display
06 Delete
GHO_NO_ID (Network object
name)
GHO_PN ACTVT (Activity) 01 Create or generate Authorization Object for Pro
duction network
02 Change
03 Display
06 Delete
GHO_PN_ID (Production net
work name )
Allocation
Roles
● SAP_UPS_ALLOC_RES_APP: SAP Upstream Allocation Results
● SAP_UPS_ALLOC_STAT_APP: SAP Upstream Network Allocation Status
Authorization Objects
The table below shows the security-relevant authorization objects used in the Allocation area of Upstream
Operations Management product in SAP Oil & Gas:
Security Guide for SAP S/4HANA 1709
794 P U B L I C SAP S/4HANA Business ApplicationsTable 487:
Authorization Object Field Value Description
GHO_ALLOC GHO_ACTVT (Activity in Op 01 Allocation Run/Results Authorization Object for OPM
erations Performance) Activities
02 Allocation Rules
03 Capture Measurements
(Actual, Plan, Theoretical)
04 Well Test / PQ Curve
05 Chemical Analysis
06 Prior period notification
07 Maintenance Retrieval Hi
erarchy
08 Simulation / Planning
09 Reset prior period notifica
tion
10 Deferment App Result
11 Allocation App Result
12 FDC App Deferment Event
13 Allocation Pre-Processing
14 Deferment Event Mainte
nance
15 Deferment Event Mainte
nance for Work Orders
GHO_A_RES GHO_ACTION APPV Approve Authorization Object for Allo
cation Results
PUBD Publish
SUBM Submit for Approval
VRFY Verify
GHO_PN_ID (Production net
work name )
GHO_STATUS (UOM Record APRD Approved
Status)
EROR Error
PROV Provisional
PUBL Published
REDY Default Audit Compari
son Record
VERF Verified
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 795Authorization Object Field Value Description
GHO_PN ACTVT (Activity) 01 Create or generate Authorization Object for Pro
duction network
02 Change
03 Display
06 Delete
GHO_PN_ID (Production net
work name )
Field Data Capture
Roles
● SAP_UPS_FDC_APP: SAP Upstream Field Data
● SAP_UPS_FIXERRORS_APP: SAP Upstream Fix Errors
Authorization Objects
The table below shows the security-relevant authorization objects used in the Field Data Capture area of
Upstream Operations Management product in SAP Oil & Gas:
Security Guide for SAP S/4HANA 1709
796 P U B L I C SAP S/4HANA Business ApplicationsTable 488:
Authorization Object Field Value Description
GHO_ALLOC GHO_ACTVT (Activity in Op 01 Allocation Run/Results Authorization Object for OPM
erations Performance) Activities
02 Allocation Rules
03 Capture Measurements
(Actual, Plan, Theoretical)
04 Well Test / PQ Curve
05 Chemical Analysis
06 Prior period notification
07 Maintenance Retrieval Hi
erarchy
08 Simulation / Planning
09 Reset prior period notifica
tion
10 Deferment App Result
11 Allocation App Result
12 FDC App Deferment Event
13 Allocation Pre-Processing
14 Deferment Event Mainte
nance
15 Deferment Event Mainte
nance for Work Orders
GHO_FDC ACTVT (Activity) 01 Create or generate Authorization Objects for
Field Data Capture
02 Change
03 Display
06 Delete
GHO_STATUS (UOM Record APRD Approved
Status)
EROR Error
PROV Provisional
PUBL Published
REDY Default Audit Compari
son Record
VERF Verified
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 797Authorization Object Field Value Description
GHO_NO ACTVT (Activity) 01 Create or generate Authorization Object for Net
work Objects
02 Change
03 Display
06 Delete
GHO_NO_ID (Network object
name)
GHO_PN ACTVT (Activity) 01 Create or generate Authorization Object for Pro
duction network
02 Change
03 Display
06 Delete
GHO_PN_ID (Production net
work name )
Forecasting
Roles
● SAP_UPS_MNGHIER_APP: SAP UPS Manage Hierarchy
● SAP_UPS_FC_MNGPROJ_APP: SAP UPS Manage Forecast Projects
● SAP_UPS_FC_ACCESS_APP: SAP UPS Manage Forecast Access
● SAP_UPS_FC_GTHDATA_APP: SAP UPS Gather Forecast Data
● SAP_UPS_FC_CALFCST_APP: SAP UPS Calculate Forecast
● SAP_UPS_FC_RESULTS_APP: SAP UPS View Forecast Results
● SAP_UPS_FC_APFCST_APP: SAP UPS Approve and Publish Forecast
Authorization Objects
The table below shows the security-relevant authorization objects used in the Forecasting area of Upstream
Operations Management product in SAP Oil & Gas:
Table 489:
Authorization Object Field Value Description
GHO_FC_HI ACTVT (Activity) 01 Add or Create Authorization Obj for Hierar
chy Maintenance in Forecast
02 Change ing
03 Display
B_USERST_T ACTVT (Activity) 01 Add or Create Status Management: Set/
Delete User Status using
06 Delete
Transaction
OBTYP (Object Category)
Security Guide for SAP S/4HANA 1709
798 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
BERSL (Authorization key)
STSMA (Status Profile)
B_USERSTAT ACTVT (Activity) 01 Add or Create Authorization Object for Net
work Objects
06 Delete
OBTYP (Object Category)
BERSL (Authorization key)
STSMA (Status Profile)
GHO_FC_PR ACTVT (Activity) 01 Add or Create Authorization Object for
Project in Forecasting
S_BTCH_JOB JOBACTION (Job operations) RELE Release Jobs (Released Background Processing: Op
Automatically When Sched erations on Background Jobs
uled)
JOBGROUP (Summary of
jobs for a group)
MDG_DIF ACTVT (Activity) 16 Execute Data Import
67 Translate
MDG_OBJTYP (Business Ob
ject Type)
Data Import Framework
Roles
● SAP_UPS_DTIMPORT: SAP Upstream Operations Management Data Import Role
● SAP_UPS_BULKUPLOAD_APP: SAP UPS Upload Production Data
Authorization Objects
The table below shows the security-relevant authorization objects used in the Data Import Framework area of
Upstream Operations Management product in SAP Oil & Gas:
Table 490:
Authorization Object Field Value Description
MDG_DIF ACTVT (Activity) 16 Execute Data Import
67 Translate
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 799Authorization Object Field Value Description
MDG_OBJTYP(Business Ob DM_EVENT UOM: Import De
ject Type) ferment Events
FD_METER UOM : FDC Meter
Reading Data
Critical Combinations
Roles Creation in PFCG
1. Standard role: SAP_UPS_DEFER_RES_APP
2. Copy the standard role to a new role and change the authorization as per required by the user .
For Example: Role created is: Z_RES_CREATE
Authorizations provided to the role to view particular production network (HK_PN) and to create and display
the event for this particular production network.
So the user to which this role would be assigned, will only be able to see View/Create the event for this
particular production network.
3. Assign the same to the user.
4. Log in with the same user in the application.
5. Create event for the same.
Standard Fiori Business Roles
The table below shows the standard Fiori business roles used in Upstream Operations Management product in
SAP Oil & Gas:
Software Component UIS4HOP1 - UI for S/4HANA On Premise
Table 491:
Role Description
SAP_BR_BUSINESS_ANALYST_IOG Business Analyst (IOG)
SAP_BR_DEFERMENT_ANALYST_IOG Deferment Analyst (IOG)
SAP_BR_FC_ANALYST_PROD_IOG Forecast Analyst - Production (IOG)
SAP_BR_FIELD_OPERATOR_IOG Field Operator (IOG)
SAP_BR_FORECAST_MANAGER_IOG Forecast Manager (IOG)
SAP_BR_FORECAST_SPECIALIST_IOG Forecast Specialist (IOG)
Security Guide for SAP S/4HANA 1709
800 P U B L I C SAP S/4HANA Business ApplicationsSAP_BR_HYDROCARBON_ANALYST_IOG Hydrocarbon Analyst (IOG)
SAP_BR_PROD_DATA_SPEC_IOG Production Data Specialist (IOG)
13.14.11.1.2 Internet Communication Framework Security (ICF)
● For Oil and Gas, Upstream Operations Management (UOM) module the following services are needed:
○ Allocation
○ GHO_WDA_ALLOC_MC_OIF (Capture Measurements)
○ GHO_WDA_ALLOC_RESULTS_OIF (Display Allocation Results)
○ GHO_WDA_ALLOC_RULES_OIF (Process Allocation Rules)
○ GHO_WDA_ALLOC_MRH_OIF (Process MRH Rules)
○ Network Object
○ o GHO_WDA_NETOBJ_OIF (Create a Network Object)
○ o GHO_WDA_NETOBJ_OIF (Change a Network Object)
○ o GHO_WDA_NETOBJ_OIF (Display a Network Object)
○ o GHO_WDA_OG_ENTITY (Create an Oil & Gas Entity)
○ o GHO_WDA_OG_ENTITY (Change an Oil & Gas Entity)
○ o GHO_WDA_OG_ENTITY (Display an Oil & Gas Entity)
● Ownership
○ Division of Interest
○ GHO_WDA_OWN_OIF (Create a Division of Interest (DOI)
○ GHO_WDA_OWN_OIF (Change a Division of Interest (DOI)
○ GHO_WDA_OWN_OIF (Display a Division of Interest (DOI)
○ GHO_WDA_OWN_NET_ASG_OIF (Assign a Division of Interest to Network Objects)
○ Scale Method
○ GHO_WDA_OWN_SM_OIF (Create a Sliding Scale Method)
○ GHO_WDA_OWN_SM_OIF (Change a Sliding Scale Method)
○ GHO_WDA_OWN_SM_OIF (Display a Sliding Scale Method)
○ Business Partner
○ Process Business Partner
○ Owner Transfer Request
○ GHO_WDA_OWN_TRO_GAF (Create an Owner Request)
○ GHO_WDA_OWN_TRO_GAF (Change an Owner Request)
○ GHO_WDA_OWN_TRO_GAF (Display an Owner Request)
○ Reports (Display Only)
○ GHO_WDA_OWN_RPT_OIF (Oil & Gas Business Partner Report)
○ GHO_WDA_OWN_RPT_OIF (Division of Interest Owners)
○ GHO_WDA_OWN_RPT_OIF (Well Completions Assigned to Division of Interest)
○ GHO_WDA_OWN_RPT_OIF (Division of Interest History Report)
○ GHO_WDA_OWN_RPT_OIF (Ownership Entitlement Results)
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 801● Network Modeling
○ GHO_NETWORK_OIF (Model a Production Network Structure)
○ GHO_NETWORK_OIF (Display a Production Network Structure)
For running SAP Fiori applications for Upstream Operations Management please activate some of the common
SICF node. These SICF node needs to be activated on the front end server (SAP NetWeaver Gateway).
Activate the following SICF nodes specific to Upstream Operations Management Fiori Applications:
● UIS4HOP1 - UI for S/4HANA On Premise
○ /sap/bc/ui5_ui5/sap/ups_alloc_ress1
○ /sap/bc/ui5_ui5/sap/ups_alloc_stas1
○ /sap/bc/ui5_ui5/sap/ups_blkuploads1
○ /sap/bc/ui5_ui5/sap/ups_commonss1
○ /sap/bc/ui5_ui5/sap/ups_defer_evts1
○ /sap/bc/ui5_ui5/sap/ups_defer_ress1
○ /sap/bc/ui5_ui5/sap/ups_def_woevts1
○ /sap/bc/ui5_ui5/sap/ups_fc_accesss1
○ /sap/bc/ui5_ui5/sap/ups_fc_apfcsts1
○ /sap/bc/ui5_ui5/sap/ups_fc_calfcts1
○ /sap/bc/ui5_ui5/sap/ups_fc_cmpress1
○ /sap/bc/ui5_ui5/sap/ups_fc_ghdatas1
○ /sap/bc/ui5_ui5/sap/ups_fc_mngpros1
○ /sap/bc/ui5_ui5/sap/ups_fc_results1
○ /sap/bc/ui5_ui5/sap/ups_fdcs1
○ /sap/bc/ui5_ui5/sap/ups_fixerrorss1
○ /sap/bc/ui5_ui5/sap/ups_mnghiers1
● Activate the following SICF nodes of OData services being used by Fiori applications:
○ /sap/opu/odata/sap/ups_bulk_upld
○ /sap/opu/odata/sap/ups_common
○ /sap/opu/odata/sap/ups_def_event
○ /sap/opu/odata/sap/ups_def_result
○ /sap/opu/odata/sap/ups_def_work_order
○ /sap/opu/odata/sap/ups_fc_appr_pub
○ /sap/opu/odata/sap/ups_fc_calc_fcst
○ /sap/opu/odata/sap/ups_fc_gatherdata
○ /sap/opu/odata/sap/ups_fc_mng_access
○ /sap/opu/odata/sap/ups_fc_mng_project
○ /sap/opu/odata/sap/ups_fc_view_res
○ /sap/opu/odata/sap/ups_field_data_capture
○ /sap/opu/odata/sap/ups_fix_error
○ /sap/opu/odata/sap/ups_hca_result
○ /sap/opu/odata/sap/ups_hca_status
○ /sap/opu/odata/sap/ups_mng_hierarchy
Security Guide for SAP S/4HANA 1709
802 P U B L I C SAP S/4HANA Business Applications13.14.11.1.3 Other Security-Relevant Information
The following table shows an overview of the data flow in UOM in a two system DMZ environment. Data access is
separated from the presentation layer, which is running on the second machine. The UI is accessed using HTTP or
HTTPs.
Table 492:
Step Description Security Measure
User Interface: FPM-based ABAP Web Data requests, updates, and actions are ABAP WebDypro, unified rendering, ac
Dynpro with Unified Rendering triggered from the UI. cess using HTTP or HTTPS
PLM UI Framework Infrastructure for communication be
tween GUIBBs/WebDynpro context and
SPI connector
SPI Connector (DMZ System) Acting like a proxy for the back end SPI Metadata is read from back end only
connector.
RFC RFC based data transfer between DMZ Protocol switch to RFC; White list for ta
system and ERP back end system; ble based data transfer; Sync with meta
xstring based data transfer data model in connector
SPI Connector (Back End System) A standardized interface that is used to Validation against metadata definition
transfer data from the application serv during data transfer
ice provider to the UI framework con
sumer.
Application Service Provider Implementation Additional metadata definition
13.14.11.2 IS-OIL Downstream
13.14.11.2.1 Authorizations
SAP Oil & Gas uses the authorization concept provided by the SAP NetWeaver AS for ABAP or AS Java. Therefore,
the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide
ABAP and SAP NetWeaver AS Security Guide Java also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Note
For more information about how to create roles, see the SAP NetWeaver Security Guide under User
Administration and Authentication.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 803Standard Roles
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a
template for your own roles.
In Oil & Gas, PFCG delta roles are used to access content in the application. To make the end-user role complete
these roles must be used along with other roles delivered by SAP. Example roles are included in the table below.
These roles are designed to support your IS-OIL business processes. The following roles are delivered:
Table 493:
Role Description
SAP_BR_SHIPPING_SPECIALIST_IOG This role is enhanced to support IS-OIL business processes
and must be used along with other roles delivered by SAP. For
example, SAP_BR_SHIPPING_SPECIALIST. This role includes
Transportation and Distribution shipment processing, master
data maintenance for shipment, shipment processing and
Transportation Scheduler Workbench operations.
SAP_BR_INVENTORY_MANAGER_IOG This role is enhanced to support IS-OIL business processes
and must be used along with other roles delivered by SAP. For
example, SAP_BR_INVENTORY_MANAGER. This role man
ages inventory with respect to quantity and value. It also in
cludes IS-OIL specific Quantity Conversion Interface (QCI)
and tank management related tasks.
SAP_BR_BILLING_CLERK_IOG This role is enhanced to support IS-OIL business processes
and must be used along with other roles delivered by SAP. For
example, SAP_BR_BILLING_CLERK.. This role is used mostly
for IS-OIL specific exchanges netting related tasks.
SAP_BR_SUPPLYCHAIN_MANAGER_IOG This role is enhanced to support IS-OIL business processes
and must be used along with other roles delivered by SAP. For
example, SAP_BR_PURCHASING_MANAGER, SAP_BR_PUR
CHASER, SAP_BR_INTERNAL_SALES_REP.The Supply Chain
Manager role is primarily responsible for ensuring proper sup
ply of hydrocarbons downstream of the Oil & Gas value chain.
This role is also responsible for handling the exchange busi
ness for refined products with exchange partners.
Security Guide for SAP S/4HANA 1709
804 P U B L I C SAP S/4HANA Business ApplicationsSAP_BR_TRANSP_SCHDLR_IOG This role is enhanced to support IS-OIL business processes
and must be used along with other roles delivered by SAP. For
example, SAP_BR_PURCHASING_MANAGER,
SAP_BR_SALES_MANAGER, SAP_BR_CONTRACT_MAN
AGER_CC . The transportation scheduler schedules as well as
execute hydrocarbon logistics movements along the supply
chain. The scheduler is responsible for multiple terminals
and/or transport systems as well as multiple crude or finished
products. As part of the job, the scheduler schedules primarily
bulk shipments, usually in planning cycles like weekly/
monthly cycles. The scheduling includes vessels, barges, rail,
truck, and pipeline for crude, feed stocks and refined prod
ucts.
SAP_BR_PRICING_SPECIALIST_IOG This is an IS-OIL role for pricing.
The pricing specialist is responsible to Create Price, Change
Price, Mass change of prices, and Mass Creation of prices.
Sets up the price lists for preparation and issue the price lists
for execution. Keeps the prices consistent across different
channels. Checks compliance of prices according to guide
lines for example, discount policy. Receives price data from
stakeholders for example, for a campaign or from product or
marketing manager. Views global market price quotes for oil
products in the system and can also modify these price
quotes in system based on prior approvals. Is responsible for
creation of F&A pricing based on the price quotes that are
available in system, Requests price data from business units
and provides information for the (customer) data specialist.
Also gives the proposal for relevant product. In addition to
that, also triggers configuration changes (for example, collab
orate with IT), trigger creation/completion/correction of ma
terial master data, and trigger price approval. And also gives
the notification to purchaser/production planner in case of
poor availability.
SAP_BR_TERMINAL_OPERATOR_IOG The terminal operator is responsible for safely operating all
terminal equipment in connection with receiving, storing,
transferring, and loading of petroleum products through
trucks, rail cars, water vessels, barges. Is also responsible for
tank farm operations, pipeline receipts, response boat opera
tion, testing of products and documentation of results, main
tenance of terminal equipment, carrier scheduling, prepara
tion of various terminal reports and general maintenance and
upkeep of the facility.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 805Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used.
Table 494:
Authorization Object Field Value Description
O_OIJ_NOM OIJ_NOMTYP Display If you are authorized for a par
ticular transport system, , lo
OIJ_TSYST
cation only then the you can
OIJ_SHPR view/change the event data in
OIJ_CARR Mass Change Event Fiori App.
OIJ_LOC
O_OIJ_NOM OIJ_NOMTYP Change If you are authorized for a par
ticular nomination type, trans
OIJ_TSYST
port system, shipper, carrier
OIJ_SHPR and location only then the you
OIJ_CARR can view/change the nomina
tion data in the Nomination
OIJ_LOC Fiori app.
O_OIJ6_INV OIJ_LOC Display If you are authorized for par
ticular location and material
MATNR
for which you are running the
BWTAR regional inventory only then
data/inventory data is dis
played in the Regional Inven
tory Fiori app.
O_O3DEFA WERKS Determines which activities
are allowed for O3DEFAULTS
O_OI0_TCD TCD This object controls which Oil
downstream transactions the
user may access. The field
values are identical to the
transaction code.
O_OIA_EXG OIA_EXGTYP Create or generate Determines which activities
are allowed for maintenance
BUKRS Change
of Exchange Headers and as
Display signment of sales and pur
Print chasing contracts.
Edit messages
Security Guide for SAP S/4HANA 1709
806 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
O_OIA_LIA OIA_UPEDOC Create Determines which activities
are allowed for maintenance
BUKRS Display
of Exchange Logical Inventory
Create or generate Adjustments.
Display
O_OIA_NDOC BUKRS Create or generate Determines which activities
are allowed for maintenance
Change
of the Exchange Netting docu
Display ment.
Print, edit messages
Lock
O_OIF_PBL OIF_PBLTYP Create or generate Determines which activities
are allowed for maintenance
OIRB_AUTGR Change
of Business Locations.
Display
O_OIG_SHP BETRVORG Determines which activities
are allowed for maintenance
TPLST
of certain shipments. The
OIG_SHTYPE shipments are determined by
shipment type and transpor
tation planning point.
O_OIG_SPT VSTEL Determines if:
The assignment of deliveries
to TD shipments according to
the shipping point of the deliv
eries is allowed or not.
The user can change deliver
ies when in the TD shipments
function, according to the
shipping point of the deliver
ies, or whether this is not al
lowed.
O_OIJ_3WP OIJ_3WPACT Create This authorization object is
checked whenever a user tries
Change
to access the 3WP transac
Display tion.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 807Authorization Object Field Value Description
O_OIJ_LOCN OIJ_LOCTYP Create or generate This authorization object is
used to authorize maintaining
Change
locations in Trader''s and
Display Schedulers Workbench. The
locations are determined by
the location type.
O_OIJ_NMST OIJ_NOMTYP Activate/Deactivate This authorization object is
checked whenever a status
Display
code is activated or deacti
vated.
O_OIJ_NOM OIJ_NOMST Create or generate
Change
Display
Print, edit messages
Lock
O_OIJ_NOMA OIJ_NOMTYP Create or generate This authorization object is
checked whenever a user tries
OIJ_NOMST Change
to access the nomination
Display data.
O_OIJ_NOMI VSART Create or generate This authorization object is
used to authorize mainte
WERKS Change
nance of nominations in Trad
Display er''s and Schedulers Work
bench.
The nominations are created
with reference to a transport
system.
O_OIJ_PROL KTOKD Create or generate This authorization object is
used to authorize maintaining
KTOKK Change
partner role assignments in
WERKS Display Trader''s and Schedulers
LGORT Print, edit messages Workbench.
Lock The TSW partner roles are de
termined by the vendor grp,
cust. grp. and the plant and
storage location attached to a
role type at a location or
transport system.
Security Guide for SAP S/4HANA 1709
808 P U B L I C SAP S/4HANA Business ApplicationsAuthorization Object Field Value Description
O_OIJ_SPTP OIJ_SPTYPE Change Determines which activities
(Display or Change) are al
OIJ_SIMTYP Display
lowed for different Stock Pro
jection Types (SP types).
O_OIJ_TCKT OIJ_NOMTYP Create or generate
OIJ_TSYST Change
OIJ_SHPR Display
OIJ_CARR Print, edit messages
OIJ_LOC Lock
O_OIJ_TKT OIJ_TKTTYP Create This authorization object is
checked whenever a user tries
Change
to access the Ticket Data
Display
Delete
Retrieve from archive
Rebook
Reverse
O_OIJ_TSYS VSART Create This authorization object is
used to authorize maintaining
WERKS Change
transport system in Trader''s
Display and Schedulers Workbench.
The transport systems are de
termined by the shipping type
O_OIR_PBLD OIF_PBLTYP Create or generate Determines whether a user is
authorized to view a specific
OIRA_RNBT Change
business location master data
OIF_DTSECT Display section on a detailed business
type level.
O_OIR_PBLG OIF_PBLTYP Create or generate Determines whether a user is
authorized to view a specific
OIF_DTSECT Change
business location master data
Display section on a detailed business
Print, edit messages type level.
Lock
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 809Authorization Object Field Value Description
O_OIRB_PBL OIF_PBLTYP Create or generate
OIRB_AUTGR Change
OIRA_RNBT Display
O_OIJ_IPW ACTVT Create or generate Provides access to create, de
lete, view and publish simula
Change tions.
Display
Delete
OIB_PHYINV WERKS Create or generate Provides access to capture
the real time physical inven
ACTVT Change
tory data for the plants they
Display are authorized to.
Print, edit messages
Delete
Discard
13.14.11.2.2 Internet Communication Framework Security (ICF)
You should only activate those services that are needed for the applications running in your system. For the Fiori
apps My Nominations , Regional Inventory View and Mass Change Events in the TSW area, following services are
needed:
● TSW_MYNOMINATIONS_SRV_01
● TSW_REGIONAL_INVENTORY_SRV_01
● TSW_MYEVENTS_SRV
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information about ICF security, see the respective chapter in the SAP NetWeaver Security Guide.
13.14.11.2.3 Deletion of Personal Data
The IS-OIL Downstream might process data that is subject to the data protection laws applicable in specific
countries as described in SAP Note 1825544.
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. The IS-OIL Downstream uses SAP ILM to support the deletion of
personal data as described in the following sections.
Security Guide for SAP S/4HANA 1709
810 P U B L I C SAP S/4HANA Business Applications● SAP delivers an end of purpose check for the IS-OIL Downstream
● SAP delivers a where-used check (WUC) for the IS-OIL Downstream
All applications register either an end of purpose check (EoP) in the Customizing settings for the blocking and
deletion of the customer and vendor master or a WUC. For information about the Customizing of blocking and
deletion for IS-OIL Downstream application , see Configuration: Simplified Blocking and Deletion.
End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases.
● Phase one: The relevant data is actively used.
● Phase two: The relevant data is actively available in the system.
● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked. Blocking
of data prevents the business users of SAP applications from displaying and using data that may include
personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.
● Change: It is not possible to change a business object that contains blocked data
● Create: It is not possible to create a business object that contains blocked data.
● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
● Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check,
see Process Flow and Configuration: Simplified Blocking and Deletion.
Integration with Other Solutions
In the majority of cases, different installed applications run interdependently as shown in following graphic.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 811An example of an application that uses central master data is an SAP for Healthcare (IS-H) application that uses
the purchase order data stored in Financial Accounting (FI) or Controlling (CO).
Security Guide for SAP S/4HANA 1709
812 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available Deletion Functionality
Table 495:
Application Detailed Description Provided Deletion Functionality
IS-OIL Downstream The customer/vendor blocking report ILM Enabled Archiving objects:
will check the consuming application to OIG_DRIVER
determine end of purpose of the cus
tomer/vendor. OIG_VEHCLE
In an IS-OIL system, in addition to the OIG_TPUNIT
EOP checks performed by SD,MM ,FI ap OIJ_NOMIN
plication the checks for usage of the cus
tomer/vendor in IS-OIL Downstream ap OIJ_TICKET
plication has to be made. IS_OIFSPBL
The IS-OIL application has to register it Data Destruction objects:
self under the customer master data and
vendor master data as consuming appli OIJ_SCHED_DESTRUCTION
cations that need to be checked for EoP . OIJ_PARTNER_DESTRUCTION
EOP. Check logic in IS-OIL will be deliv
ered in the class CVP_OIL_EOP_CHECK. OIA_EXGDOCU_DESTRUCTION
OIL_TAS_TPI_DESTRUCTION
Decoupled TSW TSW_ECC The customer/vendor blocking report ILM Enabled Archiving objects:
will check the consuming application to OIG_VEHCLE
determine end of purpose of the cus
tomer/vendor. OIG_TPUNIT
In a Decoupled TSW scenario , the OIJ_NOMIN
checks for usage of customer/vendor in OIJ_TICKET
TSW application specific documents like
nomination is made. IS_OIFSPBL
The TSW_ECC application has to register Data Destruction objects:
itself under the customer master data OIJ_SCHED_DESTRUCTION
and vendor master data as consuming
applications that need to be checked for OIJ_PARTNER_DESTRUCTION
EoP . EOP Check logic in TSW_ECC will
be delivered in the class
CVP_TSW_ECC_CHECK.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM).
○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).
○ Run transactionIRMPOL and maintain the required retention policies for the ILM objects of IS OIL
Downstream, application or Decoupled TSW .
2. You choose whether data deletion is required for data stored in archive files or data stored in the database,
also depending on the type of deletion functionality available
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 8133. To determine which business partners have reached end of purpose and can be blocked, you do the following:
○ Run transaction CVP_PRE_EOP to execute the end of purpose check function for the customer master
and vendor master in SAP ERP.
4. To unblock blocked business partner data, you do the following
○ Request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
○ If you have the needed authorization for unblocking business partner data, you can unblock the requested
data by running the transaction CVP_UNBLOCK_MD for customer master data and vendor master data in
SAP ERP.
5. You delete data by using the transactionILM_DESTRUCTION for the ILM objects of IS OIL Downstreamor
Decoupled TSW.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components under Data Protection.
● Define the settings for authorization management under Data Protection Authorization Management
For more information, see the Customizing documentation.
● Define the settings for blocking under Data Protection Blocking and Unblocking Business Partner
13.14.11.2.4 Read Access Logging
If no trace or log is stored that records which business users have accessed data, it is difficult to track the
person(s) responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be
used to monitor and log read access to data and provide information such as which business users accessed
personal data, for example, of a business partner, and in which time frame.
In RAL, you can configure which read-access information to log and under which conditions.
For more information, see Read Access Logging in the documentation for SAP NetWeaver on the SAP Help Portal
under http://help.sap.com .
13.14.12 Engineering, Construction, and Operations
13.14.12.1 Equipment and Tools Management
Security Guide for SAP S/4HANA 1709
814 P U B L I C SAP S/4HANA Business Applications13.14.12.1.1 Authorizations
Equipment and Tools Management (ETM) uses the authorization concept provided by the SAP NetWeaver AS for
ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP also apply.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP.
Note
For more information about how to create roles, see the NetWeaver Security Guide under User Administration
and Authentication.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used:
Table 496:
Authorization Object Description
J_3GBLART Authorizations for document types
J_3GEQART2 CEM – Equipment Types for Document Category 2
J_3GEMPGR2 CEM - Recipient Groups, Document Category 2
J_3GBEWTP2 CEM – Transaction Types, Document Category 2
J_3GACTVT CEM Allowed Activities
J_3GABRLST Call CEM Settlement List for Organizational Units
J_3GDISPGR MRP Group in Equipment
J_3GDBER Planning Area in Recipient
J_3G_TCODE Transaction Code
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 81513.14.12.1.2 Deletion of Personal Data
Use
Equipment and Tools Management (ETM) might process data (personal data) that is subject to the data
protection laws applicable in specific countries. You can use SAP Information Lifecycle Management (ILM) to
control the blocking and deletion of personal data. For more information, see the product assistance for SAP S/
4HANA on the SAP Help Portal at http://help.sap.com/s4hana_op_1709 Product Assistance Cross
Components Data Protection .
Relevant Application Objects and Available Deletion Functionality
Table 497:
Application Provided Deletion Functionality
Equipment and Tools Management (IS-ADEC-ETM) Archiving Object
/SAPCEM01
/SAPCEM02
/SAPCEM03
/SAPCEM04
/SAPCEM05
/SAPCEM06
/SAPCEM07
ILM Object
SAPCEM_01
SAPCEM_02
SAPCEM_07
Security Guide for SAP S/4HANA 1709
816 P U B L I C SAP S/4HANA Business ApplicationsRelevant Application Objects and Available EoP/WUC functionality
Table 498:
Application Implemented Solution (EoP or WUC) Further Information
Equipment and Tools Management (IS- EoP Checks tables /SAPCEM/BDPO,
ADEC-ETM) J_3GBELP
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for
Cross-Application Components→Data Protection.
Security Guide for SAP S/4HANA 1709
SAP S/4HANA Business Applications P U B L I C 81714 Business Network Integration
SAP S/4HANA currently supports integration scenarios with the Ariba Network (including Ariba Sourcing via the
Ariba Network), and with SAP Fieldglass.
14.1 Security Aspects for Connectivity Types
In all of the connectivity types described below, only the on-premise system opens the connection to the Cloud,
thus supporting the highest level of security. A proxy or reverse proxy in the demilitarized zone (DMZ) is not
required.
The SAP S/4HANA system communicates with the business networks through the HTTPS protocol, encrypting
transmitted data.
Direct Connectivity
For direct connectivity, SAP S/4HANA always opens the connection by executing the following actions:
● SAP S/4HANA pushes cXML messages to the business networks (synchronous)
● The Polling Agent in SAP S/4HANA fetches pending messages from the business networks (synchronous)
Mediated Connectivity
For mediated connectivity, the SAP S/4HANA system connects through SAP PI. The connection functions as
follows:
● SAP S/4HANA pushes cXML messages to SAP PI (asynchronous)
● The Ariba Network Adapter for SAP NetWeaver triggers its Polling Agent to fetch pending cXML messages
from Ariba Network. The Polling Agent in the PI adapter then pushes the cXML messages to the SAP S/
4HANA system (asynchronous).
If SAP S/4HANA communicates with Ariba Network through SAP PI, there are no special security requirements.
Note
For mediated connectivity, Ariba provides information on how to communicate with Ariba Network in the Ariba
Network Adapter for SAP NetWeaver Setup Guide. You can contact Ariba for more information.
Security Guide for SAP S/4HANA 1709
818 P U B L I C Business Network Integration14.2 Direct Connectivity: SAP S/4HANA as Client
When sending a cXML message to a business network, the sender must authenticate itself:
● SAP Fieldglass supports authentication by client certificate.
● Ariba Network offers authentication with client certificate or with shared secret password. Both
authentication methods are also supported by SAP S/4HANA. For more information about the authentication
methods on Ariba Network, contact SAP Ariba.
Note
Communication with the Ariba Network and with SAP Fieldglass is based on HTTPS. For HTTPS SSL
encryption, SAP Cryptographic Library is required. For information about installing the SAP Cryptographic
Library, search for “The SAP Cryptographic Library Installation Package” in the documentation of SAP
NetWeaver at http://help.sap.com/nw.
Authentication with Client Certificate (Ariba Network Only)
For authentication with client certificate it is strongly recommended that you use the latest version of the SAP
Cryptographic Library (SAPCRYPTOLIB). For more information about latest SAP Cryptographic Library versions,
bugs, and fixes see SAP Note 455033 .
Note
Only certificates in Personal Security Environment (PSE) format can be imported. Certificates in other formats
must first be converted to PSE format. The conversion can be done using the command line tool SAPGENPSE.
The tool can be installed with SAP Cryptographic Library installation package.
For example, to convert from P12 (Public-Key Cryptography Standards) format to PSE format, enter the
following command line:
sapgenpse import_p12 -v -r -p
Setting up authentication with client certificate includes the following steps:
1. Get the client certificate from a Certification Authority (CA) that is trusted by Ariba.
2. Import the private key of the certificate into the SAP S/4HANA system by using Trust Manager (transaction
STRUST).
1. To store the client certificate in SAP S/4HANA, you have to create a new Client Identity in Trust Manager.
Proceed as follows:
1. Choose Environment SSL Client Identities , enter ARIBA as the identity name and Ariba
Network Client as the description.
2. Save your entries.
2. Import the private key of the certificate in Trust Manager. Proceed as follows:
1. Select the created ARIBA SSL Client ID and choose PSE Import to import the PSE file.
2. Enter the password for the certificate, if required.
Security Guide for SAP S/4HANA 1709
Business Network Integration P U B L I C 8193. Save your PSE file by choosing PSE Save as SSL Client , and enter ARIBA as the SSL Client.
4. Navigate to the Own Certificate group box on the Trust Manager screen, and double-click the
certificate to add it to the certificate list. The certificate is now shown in Trust Manager in Certificate
List.
3. Import the root certificate into the SAP S/4HANA system by using Trust Manager. Proceed as follows:
1. Double-click the SSL Client Identity ARIBA that you have created.
2. Navigate to the Certificate group box and choose Import certificate. Add the imported certificate to the
certificate list by clicking Add to Certificate List.
4. For HTTPS SSL encryption, obtain the server certificate from Ariba. Proceed as follows:
1. Go to buyer.ariba.com.
2. Download the certificate using your browser.
For example, if you are using Internet Explorer, choose View Security Report View Certificates .
On the Details tab page, choose Copy to File and export it in the Base-64 encoded X.509 format.
3. Import the server certificate into the SAP S/4HANA system using Trust Manager.
4. Double click the ARIBA SSL Client ID that you have created.
5. Navigate to the Certificate group box and choose Import certificate. Add the imported certificate to the
certificate list by clicking Add to Certificate List.
5. To activate the changes, restart the Internet Communication Manager (ICM) using transaction SMICM and
choose Administration ICM Restart Yes . For more information, search for the phrase Using the
ICM Monitor in the documentation of SAP NetWeaver at help.sap.com.
6. Configure the Web services in SOA Manager (transaction SOAMANAGER). Find the following consumer proxies:
○ cXMLSynchronousOutboundAdapterMessage_Out (CO_ARBFND_PRX_OADP_OUT)
○ cXMLGetPendingDataRequest_Out (CO_ARBFND_PRX_GPDQ_OUT)
In the Details of Consumer Proxy group box, navigate to the Configurations tab page and select the logical
port. In the Configuration of Logical Port group box, navigate to the Consumer Security tab page, choose the X.
509 SSL Client Certificate radio button, and enter Ariba in the SSL Client PSE of transaction STRUST field.
7. For Ariba Network: In the profile of your account on Ariba Network, select the Certificate authentication
method in the cXML setup and enter the public key of the certificate.
Authentication with User and Password
To set up authentication with a user and a password, proceed as follows:
1. Maintain the user and the password in the Define Credentials and Endpoints for Ariba Network Customizing
activity or in the Define Credentials for SAP Fieldglass Customizing activity, respectively.
The password is stored in the secure storage of your SAP S/4HANA system. SAP S/4HANA supports
passwords with a maximum length of 36 characters.
Note
According to security requirements, passwords must not be written to logs, protocols, or traces.
Therefore, the password is not visible in transactions such as SRT_MONI where the XML message
monitoring and tracing takes place, as business users can also have authorization for the message
monitoring transactions. However, when activating an Internet Communication Framework (ICF) recording
using transaction SICF, the system logs the password in the corresponding ICF trace. ICF recording is only
intended for administrators and requires the S_ADMI_FCD authorization.
Security Guide for SAP S/4HANA 1709
820 P U B L I C Business Network IntegrationAriba Network integration only: For authentication with shared secret password, the shared secret
password has to be provided in the Sender element of the cXML payload.
2. For HTTPS SSL encryption, obtain the server certificate from the business network. Proceed as follows:
1. Go to buyer.ariba.com or to fieldglass.net, respectively.
2. Download the certificate using your browser.
For example, if you are using Internet Explorer, choose View Security Report . Choose View
Certificates. On the Details tab page, choose Copy to File and export the certificate in the Base-64
encoded X.509 format.
3. Import the server certificate into the SAP S/4HANA system using Trust Manager.
4. Double-click the SSL Client SSL Client (Anonymous) node.
Navigate to the Certificate group box and choose Import certificate. Add the imported certificate to the
certificate list by clicking Add to Certificate List.
3. To activate the changes, restart the Internet Communication Manager (ICM) using transaction SMICM and
choose Administration ICM Restart Yes .
4. In the profile of your account in the Ariba Network, select the shared secret authentication method in the
cXML setup.
14.3 Direct Connectivity: SAP S/4HANA as Server
No proxy or reverse proxy is required. The asynchronous inbound application service interfaces are called either
internally in the SAP S/4HANA system or by SAP PI.
14.4 Roles and Authorizations (Ariba Network)
A technical user is required in the SAP S/4HANA system to process messages coming from the Ariba Network.
This user must not have the SAP_ALL authorization. Assign the following roles to this user:
● SAP_ARBFND_INTEGRATION
The authorization object ARBFND_ARB is required to execute reports and to process inbound messages. This
object can be added by assigning the role SAP_ARBFND_INTEGRATION.
● Process Purchase Orders (SAP_MM_PUR_PURCHASEORDER)
This role provides authorization for purchase orders and is required to process incoming messages that
update purchase orders.
● Process Inbound Deliveries (SAP_LE_INB_DEL_PROCESSING).
This role provides authorization for inbound deliveries and is required to process incoming messages that
create inbound deliveries with receiving point.
● Enter Invoices for Verification in the Background (SAP_MM_IV_CLERK_BATCH1)
This role provides authorization to post or park incoming invoice documents in the background. Alternatively,
you can assign any other role that contains the authorization object M_RECH_WRK.
Security Guide for SAP S/4HANA 1709
Business Network Integration P U B L I C 821Depending on whether you use direct or mediated connectivity, you also have to assign one of the following roles:
● For direct connectivity:
Web Service Consumer (SAP_BC_WEBSERVICE_CONSUMER)
This role is required for using Web service protocol to communicate in direct connectivity.
● For mediated connectivity:
Exchange Infrastructure: Service User for Application Systems (SAP_XI_APPL_SERV_USER)
This role is required to communicate through XI protocol in mediated connectivity.
To make sure the corresponding profiles are available and active, you must generate the role profiles using
transaction PFCG.
14.5 Roles and Authorizations (SAP Fieldglass)
A technical user is required in the SAP S/4HANA system to process messages coming from SAP Fieldglass. This
user must not have the SAP_ALL authorization. Instead, you have to do the following:
1. Create a role that contains the authorization object ARBFND_FG, enter your SAP Fieldglass buyer company
code in the field FG_BUY_CC, and assign this role to the technical user.
2. Assign the role Enter Invoices for Verification in the Background (SAP_MM_IV_CLERK_BATCH1) to the
technical user. This role provides authorization to post or park incoming invoice documents in the
background. Alternatively, you can assign any other role that contains the authorization object M_RECH_WRK.
3. Depending on whether you use direct or mediated connectivity, you also have to assign one of the following
roles:
○ For direct connectivity:
Web Service Consumer (SAP_BC_WEBSERVICE_CONSUMER)
This role is required for using Web service protocol to communicate in direct connectivity.
○ For mediated connectivity:
Exchange Infrastructure: Service User for Application Systems (SAP_XI_APPL_SERV_USER)
This role is required to communicate through XI protocol in mediated connectivity.
To make sure the corresponding profiles are available and active, you must generate the role profiles using
transaction PFCG.
Security Guide for SAP S/4HANA 1709
822 P U B L I C Business Network Integration15 Session Security Protection
Secure Session Management
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management. We also highly recommend using SSL to protect the network
communications where these security-relevant cookies are transferred.
Session Security Protection on the AS ABAP
For SAP NetWeaver version 7.0 and higher, it is recommended to activate HTTP security session management
using transaction SICF_SESSIONS. In particular it is recommended to activate extra protection of security-related
cookies.
The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if
a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser
will not reveal the cookie to a third party.
The Secure flag tells the browser to send the cookie only if the request is being sent over a secure channel such as
HTTPS. This helps protect the cookie from being passed over unencrypted requests.
These additional flags are configured through the following profile parameters:
Table 499:
Profile Parameter Recommended Value Description Comment
icf/ 0 Add HttpOnly flag Client-dependent
set_HTTPonly_flag_on_cook
ies
login/ticket_only_by_https 1 Add Secure flag Not client-dependent
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP
Security Session Management on AS ABAP in the AS ABAP security documentation.
Security Guide for SAP S/4HANA 1709
Session Security Protection P U B L I C 823Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP''s gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP''s current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP''s gross negligence or willful misconduct. All links are categorized for transparency
(see: http://help.sap.com/disclaimer).
Security Guide for SAP S/4HANA 1709
824 P U B L I C Important Disclaimers and Legal InformationSecurity Guide for SAP S/4HANA 1709
Important Disclaimers and Legal Information P U B L I C 825go.sap.com/registration/
contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.">
To view the full page, please visit: SAP Security Patch Management Product Userguide
