Application Security Guide SRM4.0

Application Security Guide
mySAP
TM
SRM 4.0
Using SAP Enterprise Buyer 5.0, SAP Supplier Self-Services 2.0, SAP Catalog Content Management 1.0, SAP Enterprise Portal 6.0 Document Version 2.1 - February 11, 2005
SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2003 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
SAP AG and Commerce One. SAP, SAP Logo, R/2, R/3, mySAP, mySAP.com, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Represents Words or characters that appear on the screen. These include field names, screen titles, and pushbuttons, as well as menu names, paths, and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics, and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code, as well as names of installation, upgrade, and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. Keys on the keyboard, for example, function keys (such as F2) or the Ctrl key.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
Contents
Introduction .......................................................................................5
Important SAP Notes..............................................................................................................6 Other Security Guides............................................................................................................6 Overview of the Scenarios.....................................................................................................8
Technical System Landscape ........................................................17

Architecture ..........................................................................................17
Exchange of Data via External User Interfaces .................................................................17 Exchange of Data/Documents via External System Interfaces .......................................21
Network Security and Communication Security ..........................22

Communication Channel Security......................................................22
Enabling SSL (HTTPS) for Web Application Server 6.40..................................................22 Enabling SSL for J2EE 6.40.................................................................................................23 Secure Connection of Application Systems to SAP XI ....................................................23
Network Security..................................................................................25 Communication Destinations .............................................................25
User Administration and Authentication ......................................27

User Management ................................................................................27 Integration into Single Sign-On Landscapes ....................................28
Authorizations .................................................................................29
1) ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0 ............................................................30 2) ABAP Roles for SRM 4.0 (SUS Deployment) .................................................................44 3) Catalog Content Management Roles..............................................................................48 4) Portal Roles (for Enterprise Portal 6.0) ..........................................................................49 Changes to the Authorization Check .................................................................................54
Appendix ..........................................................................................60
Virus Checking of Document Attachments .......................................................................60
Related Guides .....................................................................................61 Additional Information.........................................................................63

Special Information for the Live Auction Cockpit 2.0 .......................................................63 Specific Information on Catalog Content Management 1.0 .............................................66
February 2005
Introduction
Introduction
This guide does not replace the daily operations handbooks that we recommend customers create for their specific productive operations.
About this Guide The solution mySAP Supplier Relationship Management (mySAP SRM) consists of different components, such as SAP Enterprise Buyer (EBP), SAP Bidding Engine (both reside on SRM Server) and Live Auction. This cross-component security guide provides security-relevant information for the individual SRM components. In many cases, the required information has already been provided in other security guides and in configuration and installation guides. In these cases, we have provided a reference to the relevant sections within these guides. Security in the context of an SRM Solution comprises the following aspects: User authentication Support of Single Sign-On Administration and checking of user authorizations in order to prevent unauthorized access to saved data Secure data transfer between users and the SRM application components, especially in the case of browser-based access via the Internet General access control, including protection of the system against unauthorized external access Safeguarding of data against unauthorized access when business data is being exchanged between SRM and external systems, especially in the case of data exchange with supplier systems via the Internet
The individual components of the mySAP SRM solution are based on SAP standard technology, like SAP Web Application Server (including Internet Transaction Server) and SAProuter. This means that only the official precepts of the SAP Security strategy are used. The standard tools and mechanisms of the SAP NetWeaver Platform are used. In eighty percent of cases, a SRM system landscape comprises Enterprise Buyer and Live Auction. The User Management Engine (UME) is only required in conjunction with Enterprise Portal and this is why UME is not covered by this guide. This Security Guide focuses on specific mySAP SRM implementations the standard case is covered by the security guides of the respective basis technologies.
Target Groups Technical consultants System administrators
February 2005
Introduction
This document is not part of the installation, configuration, or operation process for update guides as these are often written for a certain phase of the software lifecycle. The information contained in this guide pertains to all phases of the software lifecycle.
Important SAP Notes

SAP Notes for SRM: SAP Note Number 39267 638963 595519 Title Availability of the SAP Security Guide Error with Netscape 6.20 Include EBP in a portal Comment
For more SAP Notes on security, see the SAP Service Marketplace at http://service.sap.com/security -> SAP Security Notes -> SAP Notes on mySAP Security or the notes for the application area BC-JAS-SEC and BC-SEC.
Other Security Guides

SAP NetWeaver Security Guide The SAP NetWeaver Security Guide provides an introduction to security with the SAP NetWeaver platform as well as individual security guides for each of the SAP NetWeaver components. See the tables below: Introduction to Security with the SAP NetWeaver Platform Topic Technical System Landscape User Administration and Authentication Network and Transport Layer Security Connectivity and Interoperability See Technical System Landscape User Administration and Authentication Network and Communication Security Security Aspects for Connectivity and Interoperability
Related Security Guides for SAP NetWeaver Components Components Operating System and Database Platforms Operating System and Database Platforms Application Platform SAP Web Application Server SAP Web Application Server Security Guide Operating System and Database Platform Security Guides See
February 2005
Introduction
SAP Content Server SAP Knowledge Warehouse People Integration Portal SAP Mobile Infrastructure Information Integration SAP Business Information Warehouse Security Guide SAP Knowledge Management
SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology Internet Transaction Server Security Security Aspects in Development Security Aspects with SAP Web AS System Management
SAP Content Server Security Guide SAP Knowledge Warehouse Security Guide
Portal Platform Security Guide Security Guide for SAP Mobile Infrastructure
SAP Business Information Warehouse Security Guide Knowledge Management Security Guide: Guide Search and Classification (TREX) Security Guide Content Management Security
Process Integration SAP Exchange Infrastructure SAP Exchange Infrastructure Security Guide
Under Appendix -> Related Guides, you can find a composition of all useful SRM and SAP documents mentioned in this guide.
February 2005
Introduction
Overview of the Scenarios

(See also SRM Master Guide: Section 3 Business Scenarios of mySAP SRM.) Before you start the security setup, you need to decide which SRM components need to be installed. Also, you should have carried out a rough sizing exercise in order to answer questions on the technical setup. You can use this Security Guide to define the network structure, for example firewalls, routers, load balancing, protocols used, and the necessary configuration of the components, as well as a concept for User Administration. In this section, you can find the Software Component Matrix from the Master Guide, as well as a list of relevant sections of the Security Guide per scenario.
Software Component Matrix

This section provides an overview of which business scenario of this mySAP Business Suite solution (my SAP SRM) uses which components: Business Scenario/Software Component Matrix (M = mandatory/ O = optional) Software Component Business Scenario Catalog ContentManagement
SAP Supplier Relationship Management Server 5.0 (SAP SRM Server) (Based on SAP Web Application Server 6.40, comprises SAP Enterprise Buyer, SAP Bidding Engine and Supplier Self-Service) SAP Internet Transaction Server (SAP ITS) 6.20/ 6.40 SAP Internet Pricing and Configurator 4.0 (SAP IPC) SAP Business Warehouse 3.5 (SAP BW) plus SAP BI Content 3.5.2 Add-On SAP Catalog Content Management 1.0 Add-On Search & Classification (TREX) 6.1 SAP Enterprise Portal 6.0 (Portal Server) Live Auction Cockpit Web Presentation Server 2.0 (LACWPS) SAP Exchange Infrastructure 3.0 (SAP XI)
M O O M M O -O
M O O -O O -M
M -O M M O O O
M --M M O -M
M O O O O O -O
-O O -O
February 2005
Spend Analysis M M -M 8
Self-Service Procurement
Plan-Driven Procurement
Service Procurement
Strategic Sourcing
Introduction
Application Gateway
HTTPS / OCI
HTTP(S)
Firewall
BSP SAP BW 3.5
ITS
SAP CCM 1.0
BI CONT 3.5.2 R/3 Plug_In
SAP SRM SERVER 5.0

EBP
IPC 4.0
R/3 3.1i SAP ECC 5.0 MM FI / CO
(IDOC)
R/3 Plug_In
XI Proxy XI Int. Framew. Engine
RFC
TREX 6.1
RFC
XI Proxy XI Int. RFC Framew. Engine TREX 6.1 (Contracts)
HTTP(S) XML
XI Integration Engine
XI Cont. CCM 1.0
XML
XI 3.0
XI Cont. RosettaNet 1.0
XI Cont. SRM Server 5.0
Self-Service Procurement (Indirect Procurement) enables your employees to create and manage their own requirement requests. They can search in catalogs provided by SAP CCM. SAP BI 3.5 is used to carry out evaluations. The SRM Server (EBP) Web front end uses Internet Transaction Server (ITS) technology. With NetWeaver 04, the ITS 6.40 is part of the SAP-Kernels 6.40. ITS 6.20, a separate UI installing application, can also be used. The Web front end of SAP CCM 1.0 and SAP Business Intelligence is realized using Business Server Pages (BSP) technology. Depending on the requirements of the SRM 4.0 installation (should SRM Server (EBP) be available via the Internet?) and depending on the internal Security Policy, the following has to be carried out: SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5
February 2005
Introduction
If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5
Application Gateway
HTTP(S)
Firewall
ITS
BSP IPC 4.0 R/3 3.1i SAP ECC 5.0 MM FI / CO IPC 4.0 SAP SRM SERVER 5.0 SUS XI Proxy XI Int. Framew. Engine
SAP BW 3.5
RFC
SAP SRM SERVER 5.0

EBP
(IDOC)
R/3 Plug_In
TREX 6.1
(Contracts)
Separate IPC for SUS not needed if SUS and EBP are implemented in the same SAP system
RFC IDOC
RFC
RFC
HTTP(S)
IDOC Adapt.
XML
XI 3.0
Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes for regularly needed core materials. Suppliers can process purchase orders directly in the SAP SRM Server (SUS). The purchase orders are transferred to the SAP SRM Server (SUS) from the backend system via SAP Exchange Infrastructure (XI). The Web front end of the SAP SRM Server (SUS) is realized using BSP technology. Since suppliers log onto the SAP SRM Server (SUS) via the Internet, the HTTPS protocol should definitely be configured for the SAP SRM Server (SUS). Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)
If SAP SRM Server (EBP) is also to be accessed via the Internet, or depending on the internal Security Policy, it might be necessary to do the following: SAP SRM Server 5.0 (EBP): Enable WebAS 6.40 SSL (configure HTTPS protocol)
February 2005
10
Introduction
SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (EBP) Configure Application Gateway for SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP) and SAP SRM Server 5.0 (SUS) via HTTPS and SNC to the SAP Exchange Infrastructure (See XI Security Guide: Section HTTP and SSL and RFC and SNC)
Service Procurement
Service Procurement
Application Gateway
HTTPS / OCI
HTTPS
Firewall
BSP SAP BW 3.5
ITS
SAP CCM 1.0
SAP SRM SERVER 5.0

EBP
RFC XI Proxy
IPC 4.0
R/3 3.1i SAP ECC 5.0 FI / CO R/3 Plug_In
BSP SAP SRM SERVER 5.0 SUS XI Proxy XI Int.
RFC
XI Int. Framew. Engine
TREX 6.1
Separate IPC for SUS not needed if SUS and EBP are implemented RFC in the same SAP system
IPC 4.0
RFC Framew. Engine
HTTP(S)
XML
XML
XML
XI Cont. CCM 1.0
XI 3.0
This business scenario is used to cover the entire service procurement process. Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)
Depending on whether the SAP SRM Server (EBP) is also to be made available via the internet, or depending on the internal Security Policy, the following might also be necessary:
February 2005
11
Introduction
SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP), SAP SRM Server 5.0 (SUS), and SAP CCM 1.0 via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See XI Security Guide: Section HTTP and SSL and RFC and SNC)
Catalog Content Management
Catalog Content Management
Application Gateway
HTTP(S)
Firewall
BSP
ITS
SAP CCM 1.0
SAP SRM SERVER 5.0

EBP
RFC
XI Proxy XI Int. RFC Framew. Engine
TREX 6.1
TREX 6.1
(Contracts)
HTTP(S)
XML Catalog Upload
XML
XI Cont. CCM 1.0
XML
Masterdata Contractdata
XI 3.0
February 2005
12
Introduction
In SAP CCM 1.0, suppliers can upload their catalogs. The necessary function is provided in the Web front end. The Web front end is realized using Business Server Pages (BSP) technology. The upload occurs via the HTTPS protocol. The catalog is in XML or CSV format. The catalog is mapped in the SAP Exchange Infrastructure (XI) to convert it into SAP CCM XML format. Contract data can be loaded via the SAP Exchange Infrastructure (XI) from the SRM Server System. TREX (Search and Classification) helps you search for products in the catalog. In the scope of a procurement process, transfer of product data from SAP CCM to SAP SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI) specification via the user browser. Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 (See CCM Configuration Guide: Section Setting Parameters for Internet Communication Manager) Configure SSO between SAP CCM and SAP SRM Server (See CCM Configuration Guide: Section Using SAP Catalog Content Management with SAP Enterprise Buyer) Configure TREX http(s) protocol (See TREX Installation Guide: Section Configuration of the HTTP Connection) If necessary, connect SAP CCM via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See CCM Configuration Guide: Section SAP Exchange Infrastructure and XI Security Guide: Section HTTP and SSL and RFC and SNC)
February 2005
13
Introduction
Strategic Sourcing
Strategic Sourcing
Application Gateway
HTTPS / OCI
HTTPS
BSP SAP BW 3.5
ITS
SAP CCM 1.0
SAP SRM SERVER 5.0

EBP Bidding Engine
RFC
IPC 4.0
(IDOC)
R/3 3.1i SAP ECC 5.0 MM R/3 Plug_In
SAP LAC WPS 2.0
RFC
XI Proxy XI Int. Framew. Engine TREX 6.1

RFC HTTP(S)
TREX 6.1
XML
XI Cont. CCM 1.0
XML
XI 3.0
Within Strategic Souring, bid invitations are created in SAP SRM Server and suppliers are invited to participate in these bid invitations by submitting bids. Bid invitations can also be converted into Live Auctions. Live Auctions occur in the SAP LACWPS (Live Auction Cockpit). SAP LACWPS consists of a server part running on a SAP J2EE 6.40 and a Java Applet that communicates with the server. The Java applet is loaded into the browser of the user and is executed locally. Necessary steps: SAP SRM Server 5.0 (EBP/ Bidding Engine): Enable WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP J2EE 6.40 (SAP LACWPS) SSL (See Transport Layer Security on the SAP J2EE Engine: Section Configuring the Use of SSL on the SAP J2EE Engine) Configure Application Gateway for SAP SRM Server 5.0 (EBP/Bidding Engine) Configure Application Gateway for SAP LACWPS 2.0
Optional (if components are accessed via the Internet): Enable SAP CCM 1.0: WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP BI 3.5: WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5
February 2005
14
Introduction
If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SRM Server/backend system and SAP BI 3.5
Spend Analysis
Spend Analysis
Application Gateway
HTTP(S)
Firewall
SAP BW 3.5
R/3 3.1i SAP ECC 5.0 MM FI / CO
ITS
SAP SRM SERVER 5.0

EBP
RFC
R/3 Plug_In
TREX 6.1
(Contracts)
RFC
RFC
SRM 4.0 enables you to consolidate data in mySAP Business Intelligence (SAP BI) and to carry out evaluations. The data for this comes from the SAP SRM Server or its backend system via RFC/SNC. Users access the reports via a Web front end that is realized using BSP technology.
If BW reports are also made available to suppliers, SAP BI has to be accessible via the Internet. If it is only available to the purchasers, it depends on the individual realization of the scenario: Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM Should the SRM system landscape be available to the purchasers via the Internet or only via the Intranet? Does the internal security policy require that HTTPS be used for all Web-based applications?
February 2005
15
Introduction
If necessary, configure SNC between SAP SRM Server/backend system and SAP Business Intelligence
February 2005
16
Technical System Landscape

SRM supports various presentation technologies on which the individual SRM components run and via which user access/data transfer occurs. The architecture, determined by the respective presentation technology, is crucial for the security of an SRM system. The architecture determines the security concept.
Architecture
The architecture of an SRM system landscape is heavily dependent on the security measures that are in turn determined by the data to be transferred and the data channels. In an SRM system landscape, there are two types of channel via which data is exchanged and which require careful attention in terms of provision of security during data exchange via external interfaces: Exchange of data via external user interfaces Exchange of data/documents via external system interfaces
In both cases, the SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimited by an internal and an external firewall. Within the DMZ there is an application gateway. (SAP recommends that you use the SAP Web Dispatcher.) URLs and ports for the systems behind the internal firewall can be configured in any way and are not known to users outside of the external firewall. In this way, the SRM security concept follows the usual SAP security standards (that are used on a world-wide basis).
Exchange of Data via External User Interfaces

Data exchange via external user interfaces occurs in SRM in two different ways: 1. Data exchange via the Application Gateway using an internal Internet Transaction Server or for components with Web front end on BSP technology 2. Data exchange via JAVA Applet Live Auction Cockpit WPS (also via Application Gateway)
February 2005
17
1. Data Exchange via the Application Gateway for Applications with Web Front ends on ITS and BSP Technology The following SRM scenarios, where the Web front end is based on ITS or BSP technology, work on this principle: Self-Service Procurement Plan-Driven Procurement Service Procurement Catalog Content Management Spend Analysis (Strategic Sourcing with Bidding Engine but without LAC WPS)
External Users Access via Application Gateway (ITS and BSP)

Internet
Internet Browser
HTTP(S)
Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)
Firewall Internal Zone
SAP BW 3.5
ITS
SRM Server 5.0

EBP Bidding Engine
R/3 3.1i SAP ECC 5.0
BSP
BSP
SAP CCM 1.0
SRM Server 5.0

SUS
R/3 Plug_In
RFC
RFC
SAP Basis 6.40 SAP Kernel 6.40 (incl. ITS 6.40)
Basic representation of the communication paths of the SRM components to the outside via the application gateway.
The SAP Web Dispatcher functions as an Application Gateway and is used as a "software Web switch" between the Internet and your SRM Server system, which consists of one or more Web Application Servers. You therefore have only one point of access for HTTP(S) requests in your system. Furthermore, the SAP Web dispatcher balances the load, so that the request is always sent to the server with the greatest capacity. More information: SAP Web Dispatcher
February 2005
18
The SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) via the internal firewall of the DMZ. All security aspects are dealt with via the ITS and the SAP WAS. In this way, the SRM security concept, like all other SAP solutions, is entirely based on the general SAP security standards.
2. Data Exchange via JAVA Applet Live Auction Cockpit WPS In the SRM scenario Strategic Sourcing a JAVA Applet is loaded in the browser of an external supplier for Live Auctions (not for auctions via the Sourcing Cockpit of the SRM Bidding Engine). This applet communicates with the server part of the LAC on the J2EE 6.40 via the application gateway.
External Users Access to Java Applet (LAC WPS)

Internet
Internet Browser
HTTP(S)
Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)
Firewall Internal Zone
BSP
SAP BW 3.5
ITS
SAP CCM 1.0
SRM Server 5.0

EBP Bidding Engine
R/3 3.1i SAP ECC 5.0
LAC WPS 2.0
R/3 Plug_In
JCo
RFC
RFC
SAP Basis 6.40 SAP Kernel 6.40 (incl. ITS 6.40)
SAP J2EE 6.40
Basic representation of the communication paths of the SRM components incl. LAC WPS 2.0 to the outside. The ABAP application Sourcing Cockpit allows external suppliers to participate in bid invitations that are created and evaluated using the SAP Bidding Engine. Auctions can be converted into Live Auctions and are then processed in the LAC. LAC is a JAVA component LAC WPS on presentation level whose runtime environment is the J2EE of SAP WAS 6.40.
February 2005
19
LAC WPS consists of a server part that runs on J2EE 6.40 and a Java Applet that is loaded into the browser of the user and executed locally there. The applet communicates via HTTP(S) with the server part. The server communicates with the SRM Server via RFC. Communication between the JAVA applet and the LAC WPS server occurs just like any HTTP(S) based communication with the Internet via Application Gateway that exists in the DMZ. (Each type of communication with the Internet that occurs via HTTP(S) makes use of the Application Gateway.) All security aspects are dealt with by SAP WAS.
February 2005
20
Exchange of Data/Documents via External System Interfaces

External Documents Exchange via XI
SAP WAS 6.40 (incl. SAP J2EE 6.40) SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In XI Proxy Framew.
SRM Server 5.0

EBP Bidding Engine SUS XI Int. Engine XML MM
R/3
FI/CO
R/3 Plug-In
Internal Zone
RFC HTTP(S)
RFC
XI 3.0
XML HTTP(S) & TCP / IP
Firewall Application Gateway (SAP Web Dispatcher)

XML
DMZ Firewall
HTTP(S)
Internet Firewall
Business Partner IT Landscape
In an SRM system landscape, the Exchange Infrastructure (XI) is used to transfer data in the form of documents via external system interfaces. Here, too, the Exchange Infrastructure of SAP Web Dispatcher is on an HTTP(S) Web server in the DMZ. All security aspects are dealt with by the SAP Web Dispatcher and the Exchange Infrastructure. (For more information, see SAP Web Dispatcher and SAP Exchange Infrastructure Security Guide)
See the following table for more information about the technical system landscape: Topic Technical System Landscape Guide/Tool SRM Master Guide Quick Link to the SAP Service Marketplace (service.sap.com) http://service.sap.com/instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM
February 2005
21
Network Security and Communication Security

Communication Channel Security
This section deals with measures to protect data that is being transferred from unauthorized access. Data transfer is by means of HTTPS (SSL encryption) that is also used in SAP system landscapes. The mechanisms to use for transport layer security and encryption depend on the protocols used. For Internet protocols such as HTTP, you can use the Secure Sockets Layer (SSL) protocol to provide the protection. For SAP protocols such as dialog and RFC, you can use Secure Network Communications. See Network Security for SAP Web AS ABAP and Network Security for the SAP J2EE Engine for an overview of the corresponding SAP Web AS connections and the security mechanism to use. We recommend that you consult the following documentation on Network and Communication Security in the SAP NetWeaver Security Guide: Basic Network Topology for SAP Systems Network Services Using Firewall Systems for Access Control o Application-Level Gateways Provided by SAP Example Network Topology Using a SAProuter Example Network Topology When Using SAP Remote Services Using Multiple Network Zones Transport Layer Security o o Secure Network Communications (SNC) SNC-Protected Communication Paths in SAP Systems
Additional Information on Network Security
Enabling SSL (HTTPS) for Web Application Server 6.40

This section is relevant for all Web applications that are based both on the ITS 6.40 and on BSP, so basically all scenarios with the exception of Strategic Sourcing with LAC WPS 2.0. This safeguards data against unauthorized access when business data is being exchanged between SRM and external systems, especially in the case of data exchange with supplier systems via the Internet. The electronic exchange of business data between SRM and a connected supplier must also be protected. Purchase orders and shipping notifications contain confidential information that an SRM customer will want to protect from unauthorized access. Here also, SRM makes use of the standard Internet features. With the HTTP adapter, the SAP Exchange Infrastructure supports the Secure HTTP protocol. By means of this protocol, all data is saved during the entire transfer from the sending system to the receiving system. As far as the automatic authentication of the participating systems is concerned, SRM relies on the exchange of certificates, which guarantees state-of-theart security. The communication channels within the mySAP SRM system landscape can be made secure using HTTPS (SSL). However, it only makes sense to use this coding technology to achieve overall security for the channels.
February 2005
22
Consult the Network and Transport Layer Security guide before carrying out the SSL settings for the SAP WAS 6.40: Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP o Configuring the SAP Web AS for Supporting SSL
To carry out the SSL settings for the ITS 6.40 (internal ITS on WAS 6.40) proceed in accordance with the following sections of the WEB AS Security Guide: Internet Transaction Server Security o o o A Secure Network Infrastructure for the ITS Protecting the Server and Network Components TCP Ports Used by the ITS
For security issues in regard of the SRM applications with Web front end on BSPbasis, note the following documentation: Security Aspects for BSP
Enabling SSL for J2EE 6.40

This section is relevant if you want to implement the SRM scenario Strategic Sourcing with LAC WPS 2.0 (LAC WPS runs on the J2EE of SAP WAS 6.40). To configure SSL for LAC on J2EE 6.40, proceed in accordance with the following documentation: Configuring the Use of SSL on the SAP J2EE Engine
See also: Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine
Secure Connection of Application Systems to SAP XI

All XI runtime components using the HTTP protocol support the encryption of the HTTP data stream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completely transparent to the Exchange Infrastructure. Depending on the protocol used, all data (including passwords) is usually transmitted through the network (intranet or internet) in plain text. To maintain the confidentiality of this data, you can apply transport layer encryption to the connection between the business systems, the Integration Server, the adapters, and the Web browser. SAP especially recommends using encryption when you transmit passwords, orders, company-specific information or any other data that you consider sensitive. You can use Secure Sockets Layer (SSL) or Secure Network Communication (SNC) to increase the security of the following connections: Between adapters and Integration Server Between business systems and Integration Server Between PCK and Integration Server
February 2005
23
Between business systems and adapters
Adapters, business systems, and Integration Servers communicate with each other using the RFC or HTTP protocol, which can be secured by SNC or SSL respectively. Find detailed information here: SAP Exchange Infrastructure Security Guide -> Chapter Network and Communication Security -> HTTP and SSL and Security Configuration Here you find information to send and receive messages with the Adapter Engine using HTTPS/ SSL: Configuration Guide - SAP XI 3.0: Chapter 10 Communication and Security and 10.1 HTTPS Configuration for the Adapter Engine
Integration of EBP Services into Enterprise Portal Ensure that you downloaded all relevant portal roles for SRM 4.0 from the iView studio at http://www.iviewstudio.com/. Here you can also find the actual Business Package of SRM 5.0. Security Information: Portal Platform Security Guide -> Secure Communications -> Communication Between Internal Components -> Communication with Backend Systems Note: The portal and the ITS of the EBP system must run under the same protocol (both under http or both under HTTPS, no other combination is possible) The portal and the ITS of the EBP system must be in the same domain If you wish to implement your own EBP services, you must ensure that the iViews of the EBP services have EPCF level "2"
February 2005
24
Network Security
General Access Control, Including Protection of the System and Stored Data Against Unauthorized External Access, General Standards: Firewalls, DMZ, SNC SAP Standards: ITS, SAProuter mySAP SRM is a solution with many external interfaces, including interfaces to the Internet. This makes mySAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studies have shown that unauthorized access by internal employees also represents a considerable risk. As a pure business solution, mySAP SRM can offer protection in this regard bases on the Authorization Concept within SAP WAS (SAP Authorization Concept). It is important to understand that SRM is embedded in a comprehensive protection concept that offers protection both on a physical level and also, through additional firewalls, protected access to all levels of an IT infrastructure. As the SRM architecture graphics shows, SAP recommends protecting the different SRM components using appropriate firewalls. This includes setting up a DMZ (Demilitarized Zone) that protects all critical components from direct access via the Internet. Furthermore, SAP recommends installing protection against access to the entire data store of the various SRM applications components. For more information on firewalls and the relevant settings, see the section Network and Communication Security -> Using Firewall Systems for Access Control ( for firewall settings) in the SAP NetWeaver Security Guide and SAProuter in the SRM documentation (for SAProuter settings). For more information on the settings for Security Network Communications (SNC), see the section SNC-protected Communication in the SAP WebAS Security Guide. See also: Additional Information on Network Security
Communication Destinations
All relevant communication destinations (such as RFC, IDoc, and so on) for mySAP SRM are described in the Business Scenario Configuration Guides. The following table provides an overview of the relevant sections: Business Scenario Configuration Guide SRM 4.0 Self-Service Procurement Section System Connections Where to find SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Self-Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Plan-Driven Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Strategic Sourcing SAP Service Marketplace: http://service.sap.com/ibc -> for
SRM 4.0 Plan-Driven Procurement
System Connections
SRM 4.0 Strategic Sourcing
System Connections
SRM 4.0 Catalog Content Management
System Connections
February 2005
25
mySAP SRM -> Catalog Content Management SRM 4.0 Service Procurement SAP Service Procurement with Loose Supplier Integration/with Close Supplier Integration System Connections SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Spend Analysis
SRM 4.0 Spend Analysis
February 2005
26
User Administration and Authentication

This section describes how user data is protected from unauthorized access and the aspects of authorization. X.509 Certificates are used in conjunction with accounts and passwords as general security standard. The SAP role concept and user attributes are used for authorization purposes. For more information, see the section Authenticating Users in the SAP WAS Security Guide. There are three different scenarios for authenticating users in SAP System Internet applications. See: Authenticating Internet Users Authenticating Named Users With User ID and Password Authenticating Named Users Using X.509 Client Certificates
See Using X.509 Client Certificates to get a procedure for configuring the system for the use of X.509 client certificates.
User Management
In general, SRM supports user authentication using user accounts and passwords. It also supports user authentication using X.509 certificates and, this way, integrates seamlessly with public key infrastructure. The following types of roles are supported: SRM Server roles and portal roles. New users can only be created by the user administrator or by a manager. In the case of selfregistration by new users, the actual release of the new account has to be approved by the user administrator or manager.
To use the user approval workflow, the workflow WS10000192 has to be activated and the indicator Approval Indicator has to be set in the IMG under SRM Server -> Master Data -> Create Users -> Set Approval Indicator. As standard, creation of users is always approval-relevant.
February 2005
27
Integration into Single Sign-On Landscapes

Support of Single Sign-On on SRM Because of the fact that mySAP SRM consists of a range of different application components, and certain SRM users must access several of these applications, the support of Single Sign-On is a significant benefit. In SRM the standard SSO mechanism is used (the initial application generates the SSO cookie, which is stored in the users web browser and other applications accept it). (For security reasons, the cookie is placed in the main memory and is automatically deleted as soon as the user actively logs off or closes the browser.) Using this cookie, users can access all SRM applications for which they are authorized without having to authenticate themselves again, that is, go through the authentication process again. When the user accesses applications based on SAP R/3, such as SAP EBP, the cookie is converted to a SAP Logon ticket on-the-fly. Single Sign-On in SRM is supported both with and without the Enterprise Portal. For more information on SSO und Authentication Methods on SAP Web AS, see: SAP Web Application Server Security Guide -> Authentication and Single Sign-On User Authentication and Single Sign-On -> Using Logon Tickets
February 2005
28
Authorizations
Authorizations
In SRM one or more predefined roles are assigned to each user or user account. Depending on the role, the user is authorized to carry out certain transactions and access certain data. In addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict his access, for example, employees may only assign purchase orders to their own cost centers. In the standard SRM delivery, customers receive predefined role templates that they can extend or adapt to their specific requirements. The standard roles include roles for managers, employees, and so on. Individual users access SRM transactions and data via their browsers and then transfer sensitive confidential data. This information must be protected against unauthorized access. As standard, this is taken care of by encoding all data during the transfer from the Web Server to the browser. SRM follows the standard in this case and supports secure HTTP.
Roles for System Configuration

Users wanting to set up or configure an SRM Server system are assigned to the SRM Administrator role, which provides them with the required authorizations. The necessary Customizing authorizations ensure that these setup users are able to carry out IMG projects. See the SAP Library (http://help.sap.com/): SAP NetWeaver -> SAP NetWeaver Technical Operations Manual Administration of the SAP Web Application Server Management of the ABAP Subsystem Users and Roles (BC-SECUSR) Role Maintenance Role Maintenance Functions: Customizing Auth.
SRM does not supply separate Customizing or setup roles. Instead, you should use the functions provided in Role Maintenance (transaction PFCG).
February 2005
29
Authorizations
1) ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0

The following roles are delivered: Roles/ Technical Names Employee
SAP_EC_BBP_EMP LOYEE
Services Trans(Menu Entry) action

Request Shop BBPSC18 BBPSC02
Authorization Group
AAAB
Authorization Objects
B_BUPA_RLT (02,03) B_BUPR_BZT (ACTVT 02; RELTYP BUR010) S_ME_SYNC (38) S_PRO_AUTH (03) S_RFC S_TCODE
S_RFC
S_TCODE
ARFC
BBP_BGRD_APPROVAL
BBP_ATTR_ BBP_CTR_DISP MAINT
SAP_BBP_STAL_EM Shop (one PLOYEE screen) SAP_BBP_MULTI_E MPLOYEE Check Status Confirm Goods/Services Enter Invoice/Credit Memo Inbox OLD Approval
BBPSC03 BBPSC04 BBPCF02 BBPIV02
BBP_BD_M ETA_BAPIS BBP_BS_P OD BBP_BS_R QD BBP_BS_R SD BBP_CHAN GE_DOC
BBP_CTR_DISPNR BBP_CTR_EXT_PO BBP_CTR_WF_APP BBP_GETCD_ITS
BBPBWSP BBPBWSP _SIMPLE
BBP
BBP_FUNCT BBP_PD_CNF BBP_PD_INV BBP_PD_PO (ACTVT: 03) BBP_PD_QUO (ACTVT: 03, 75) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_PC
BBP_OCI_AGENT
BBP_CROO BBP_POC_WF_APP M_CTR BBP_CROO BBP_POC_WF_REV M_INV BBP_CROO BBP_QUOT_EXTST M_SC BBP_FRAM EWORK BBP_SC_DARKAPP_IAC
BBP_IU_GE BBPAT03 N BBP_REQR EQ BBP_WAP BBPAT04 BBPAT05
BC_A
C_DML (ACTVT: 03) S_DATASET (ACTV: 33, 34; PROGRAM: SAPLSWT01) S_TABU_DIS (03) S_USER_GRP (02, 03)
BBP_WAP_I BBPATTRMAINT NBOX
BBPFAKEW BBPCF04 P ERFC RFC1 BBPCF05 BBPGLOBAL
BC_C
S_DEVELOP (ACTVT: 16; Package: dummy; object name: BUS*; object type: SOBJ; authorization group = dummy)
February 2005
30
Authorizations
Roles/ Technical Names
Authorization Group
BC_Z
S_OC_DOC S_OC_FOLCR S_OC_ROLE S_OC_SEND S_OC_TCD ( SO01, SO02, SO03, SO04)
S_RFC
S_TCODE
RSAN SDIF SDIFRUNTI ME SI17_V SKBW
BBPHELP BBPIV04 BBPIV05 BBPIV06 BBPPU01
S_BDS_DS (01, SSCV 02, 03, 04, 06) S_WF_LVIEW S_WF_WI HR PLOG P_TCODE (PF*, PP*) SU_USER SURL SUSO SUSW SWEL SWLWFIN SWOR SWWA SYST SYSU
BBPPU02 BBPPU03 BBPPU05 BBPPU08 BBPPU11 BBPPU12 BBPPU16 BBPPU17 BBPSC08 BBPSC10 BBPST01
WP_USER_ BBPVE01 MENU BBPWI BWSP SWK1 T*
Manager
SAP_EC_BBP_MAN AGER SAP_BBP_STAL_MA NAGER SAP_BBP_MULTI_M ANAGER
Edit Attributes Process Company Data (hosted)
BBPATTRM AAAB AINT BBPMAINM ANAGER BBP
S_RFC S_TCODE
BBPMAINA PP
BBP_POC_DISPLY BBP_QUOT_EXTWF
BBP_PD_PO (ACTVT: 03)
BBPBWSC1 BBPMAINAPP BBPPU05 BBPPU07 BBPRP01
February 2005
31
Authorizations
Authorization Group
S_RFC
S_TCODE
BBPSC07 BWSP T*
Purchasing Assistant
SAP_EC_BBP_SEC RETARY
Shop
BBPSC01
AAAB
S_TCODE
BBP_BW_SC3
Create Public Templates
BBPSC05 BBPPCO02 BBPCF03
BBP
M_BBP_CONF M_BBP_I_IN M_BBP_SHLP (inactive)
BBP_BW_SC4 BBPCF03 BBPIV03
SAP_BBP_STAL_SE Enter Purchase CRETARY Order Response SAP_BBP_MULTI_S ECRETARY Confirm Goods / Services Centrally Enter Invoice / Credit Memo Centrally Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening
BBPIV03
BBPPU02
BBP_BW_S C4 BBP_BW_S C3 /sap/ros_pr escreen/mai n.do
BBPPU04 BBPPU05
BBPPU06
BBPPU10 BBPSC03 BBPSC04 BBPSC05 BBPSC06
Professional Purchaser
SAP_EC_BBP_PUR CHASER
Shop
BBPSC01
AAAB
/SAPCND/CM (Application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT
BBP_AUC_SRM_EX
Create Public Templates
BBPSC05 BBPCF03
BBP_BID_EVAL BBP_BID_EXTSO
SAP_BBP_STAL_PU Confirm Goods / RCHASER Services Centrally SAP_BBP_MULTI_P URCHASER Enter Invoice / Credit Memo Centrally Process Purchase Order Issue Purchase Order
BBPIV03
B_USERST_T
BBP_CFOLDER
BBP_POC BBP_PPF BBP
S_TCODE BBP_BUDGET
BBP_CTR_EXT_CR BBP_CTR_EXT_PO
February 2005
32
Authorizations

Process Purchase Order Response Process Global Outline Agreement BBPPCO01
Authorization Group
BBP_FUNCT
S_RFC
S_TCODE
BBP_CTR_EXT_WF
BBP_CTR_ MAINCC
BBP_PD_AUC
BBP_POC_DISPLY
Process Contract BBP_CTR_ MAIN Issue Contract Process Bid Invitation Process Auction Carry Out Sourcing Analysis SC per Cost Center Analysis SC per Product BBP_PPF_ CONT BBP_BID_I NV BBP_AUCT ION BBPSOCO 01 BBP_BW_S C4 BBP_BW_S C3
BBP_PD_BID BBP_PD_CNF BBP_PD_CTR BBP_PD_INV BBP_PD_PCO BBP_PD_PO BBP_PD_QUO BBP_PD_SC
BBP_POC_WF_REQ BBP_QUOT_EXTWF BBP_TRIGG_MEN BBPDIFF BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02
Manage BBPMAINI Business Partner NT Data Manage BBPMAINP Business Partner URCH (Hosted) Edit Addresses BBPADDRI NTV BBPAVLMA BC_A INT BBPWLRA0 1
BBP_PD_VL
BBPPU04
M_BBP_PC (PCMAS_ACT: 03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: PLAN, RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT: 03, 16; SXMBACTION: RUNTIME) BC_C S_DEVELOP
BBPPU05
Process Vendor List Reassign Workload
BBPPU06 BBPPU07
Display Changes BBP_SUPP _MONI
BBPPU10 BBPRP01 BBPSC03
BBPSC04
BBPSC06
BBPSC14
BBPSC15
February 2005
33
Authorizations
Authorization Group
BC_Z
S_APPL_LOG (03) S_IDOCCTRL
S_RFC
S_TCODE
BBPSC16 BBPSC17 BBPSC18 BBPSC19 BBPSHOWVD BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER
Purchase Manager
SAP_BBP_STAL_PU RCHASE_MANAGE R SAP_BBP_MULTI_P URCHASE_MANAG ER
Only composite role
Operational Purchaser
Shop
BBPSC01
AAAB
/SAPCND/CM / (application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT
BBP_AUC_SRM_EX
SAP_EC_BBP_OP_P Create Public URCHASER Templates SAP_BBP_STAL_OP Confirm ERAT_PURCHASER Goods/Services Centrally Enter Invoice/Credit Memo Centrally
BBPSC05 BBPCF03
BBPIV03
B_USERST_T
BBP_CTR_EXT_CR
Process BBP_POC Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Assign Global Outline Agreement Process Contracts BBP_PPF BBPPCO02 BBPPCO01 BBP
S_TCODE BBP_BUDGET BBP_FUNCT BBP_PD_AUC
BBP_CTR_EXT_PO BBP_CTR_EXT_WF BBP_POC_DISPLY BBP_POC_WF_REQ
BBP_CTR_ SEARCC BBP_CTR_ MAIN
BBP_PD_BID
BBP_PPF_CONT
BBP_PD_CNF
BBP_TRIGG_MEN
February 2005
34
Authorizations

Process Bid Invitations Process Auctions Carry Out Sourcing Analysis SC per Cost Center Analysis SC per Product Edit Addresses BBP_BID_I NV BBP_AUCT ION BBPSOCO 01 BBP_BW_S C4 BBP_BW_S C3 BBPADDRI NTV
Authorization Group
BBP_PD_CTR BBP_PD_INV BBP_PD_PO BBP_PD_QUO BBP_PD_SC M_BBP_PC (03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)
S_RFC
S_TCODE
BBPDIFF BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02 BBPPU04 BBPPU05 BBPPU06
Display Changes BBP_SUPP BC_A _MONI Vendor Prescreening /sap/ros_pr escreen/mai n.do
BBPPU07 BBPPU10 BBPRP01
BBPSC03
BBPSC04
BBPSC06
BC_Z
BBPSC14 BBPSC15 BBPSC16 BBPSC17 BBPSC18 BBPSC19 BBPSHOWVD BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER
February 2005
35
Authorizations
Authorization Group
S_RFC
S_TCODE
Strategic Purchaser
Process Bid Invitation
BBP_BID_I NV BBP_AUCT ION BBP_CTR_ MAINCC BBPPCO01
AAAB
/SAPCND/CM / (application: BBP; use: PR) B_BUPA_RLT B_BUPR_BZT
BBP_AUC_SRM_EX
SAP_EC_BBP_ST_P Process Auction URCHASER SAP_BBP_STAL_ST RAT_PURCHASER Process Global Outline Agreement Process Purchase Order Response
B_USERST_T
BBP_CFOLDER
Process Contract BBP_CTR_ MAIN Issue Contract Process Vendor List BBP_PPF_ CONT BBPAVLMA INT BBP
S_TCODE BBP_BUDGET BBP_FUNCT BBP_PD_AUC
BBP_CTR_EXT_CR BBP_CTR_EXT_PO BBP_CTR_EXT_WF BBP_POC_DISPLY
Manage BBPMAINI Business Partner NT Data Edit Addresses Reassign Workload Vendor Prescreening BBPADDRI NTV BBPWLRA0 1 /sap/ros_pr escreen/mai n.do
BBP_PD_BID BBP_PD_CNF (ACTVT: 03) BBP_PD_CTR
BBP_POC_WF_REQ BBP_PPF BBP_QUOT_EXTWF
BBP_PD_INV (ACTVT: 03) BBP_PD_PCO (ACTVT: 03) BBP_PD_PO BBP_PD_QUO BBP_PD_SC (ACTVT: 02, 03) BBP_PD_VL M_BBP_PC BC_A S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV
BBPMAINAPP BBPPCO_WF BBPPO01 BBPPU02 BBPPU04 BBPPU05 BBPPU06 BBPPU07 BBPPU10
BBPRP01 BBPSC14
February 2005
36
Authorizations
Authorization Group
S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_DEVELOP
S_RFC
S_TCODE
BBPSC15
BBPSC16
BBPSC17
BBPSHOWVD
BBPSOCO01 BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER
BC_Z
Content Manager
SAP_EC_BBP_CON TENT_MANAGER
Import Product Master Hierarchies Import Products
BBP_CT_S CM_STAGI NG BBP_CT_S TAGING COMMPR0 1 COMMPR0 2 BBP_CCM_ TRANSFER
AAAB
/SAPCND/CM COMM_ATT COMM_ATTRSET (application: BBP; RSET use: PR) COM_ASET (01, 02, 03, 06) COM_CAT (01, 02, 03) COM_HIER (01, 02, 03) COM_IL (ACTVT: 01, 02, 03, 06; RELTYPE: PRDCTI, PRDCTN, PRDMPI, PRDMPN, PRDVND, PRDVNI) COM_PRD (01, 02, 03, 06) COM_PRD_CT (01, 02, 03, 06) S_IFC S_RFC S_TCODE COMM_PC AT_LOC CRM_PRD BBP_CT COMM_HIERARCHY COMM_PCAT_LOC COMM_PCAT_PROFILE
SAP_BBP_STAL_CO Process NTENT_MANAGER Products Activate Products Data Transfer from Product Master to Catalog
Maintain Products in SUS
CONTENT
BC_A
S_BTCH_JOB (job action: RELE)
February 2005
37
Authorizations
Authorization Group
S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)
S_RFC
S_TCODE
BC_Z
S_APPL_LOG (ACVT 03; ALG_OBJECT: COM_PRODUCT _CATALOG ; ALG_SUBOBJ: EXPORT_XML)
Component Planner
Component Planning for Orders
BBPOR01
AAAB
S_TCODE
Only standard
SAP_EC_BBP_PLAN Component NER Planning for Projects SAP_BBP_STAL_PL ANNER Change Settings
BBPPS01
BBPAT05
Internal Dispatcher
SAP_EC_BBP_RECI PIENT SAP_BBP_STAL_RE CIPIENT SAP_BBP_MULTI_R ECIPIENT
Confirm Goods / Services Centrally Find Goods Recipient
BBPCF03
AAAB
S_TCODE
Only standard
BBP_PM01
BBP
BBP_FUNCT BBP_PD_CNF BBP_PD_PO (ACTVT: 03)
Accounts Payable Clerk

SAP_EC_BBP_ACC OUNTANT
Invoice and Credit Memo Centrally Issue Document
BBPIV03
AAAB
S_TCODE
Only standard
BBP_TRIG G_MEN
BBP
BBP_FUNCT BBP_PD_INV (ACTVT: 01, 02, 03, 06) BBP_PD_PO (ACTVT: 03)
SAP_BBP_STAL_AC Backend Posting BBPBC1 COUNTANT (Hosted) SAP_BBP_MULTI_A CCOUNTANT
Bidder
SAP_EC_BBP_BIDD ER SAP_BBP_STAL_BI DDER SAP_BBP_MULTI_BI DDER
Process Bid
BBP_QUOT AAAB
/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) BBP_FRAM EWORK
BBP_CFOLDER
Process User Data
BBPMAINE XT
BBPGLOBAL
BBPFAKEW BBPMAINNEW P RFC1 BBPST01
February 2005
38
Authorizations
Authorization Group
S_RFC S_TCODE
S_RFC
S_TCODE
RSAN SDIF SDIFRUNTI ME SI17_V SKBW
BBPVENDOR BBPWI
BBP
BBP_PD_AUC (03) BBP_PD_BID (03) BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2200, BUS2202, BUS2208)
BC_A
S_DATASET (33) SSCV S_TABU_DIS (03) SU_USER SURL
BC_Z
S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG
HR
SUSO SUSW SWLWFIN SWOR SYST SYSU WP_USER_ MENU
Vendor
SAP_EC_BBP_VEN DOR
Enter Delivery / Service Enter Invoice / Credit Memo
BBPCF01
AAAB
/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) S_RFC S_TCODE BBP_FRAM EWORK
BBP_BGRD_APPROVAL
BBPIV01 BBPMAINE XT BBPADDR EXT BBPBWSP BBPBWSP _SIMPLE BBP
BBP_CFOLDER
SAP_BBP_STAL_VE Process User NDOR Data SAP_BBP_MULTI_V ENDOR Edit Addresses Inbox OLD Approval
BBPADDRE BBP_QUOT XT BBPFAKEW BBPGLOBAL P RFC1 RSAN SDIF SDIFRUNTI ME BBPMAINNEW BBPST01 BBPVENDOR BBPWI
BBP_PD_AUC (03) BBP_PD_BID (03)
February 2005
39
Authorizations
Authorization Group
BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2203, BUS2205)
S_RFC
S_TCODE
SI17_V
SWK1
BC_A BC_Z
S_TABU_DIS (03) S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG
SKBW SSCV
HR
SU_USER SURL SUSO SUSW SWLWFIN SWOR SYST SYSU WP_USER_ MENU
Company Administrator (MarketSet)

SAP_EC_BBP_COM PANY_ADMIN SAP_BBP_MULTI_C OMPANY_ADMIN
Process Local Accounting Data
BBP_MS_S AAAB TD_ACC_C
S_TCODE
BBPPU09
Customizable Messages Messages in XML Define Impersonal Account Process FIBackend Process Vendor Number in Backend Process Tax Code Monitor Shopping Cart
BBP_MS_M BBP SG1_C BBP_MS_M SG2_C BBP_MS_A BC_A CC_DET_C BBP_MS_B E_C BBP_BE_LI BC_C ST BBP_MS_M AP_TAX_C BBP_MON_ SC
BBP_FUNCT (MON_ALERTS) BP_PD_SC (ACTVT: 01, 02, 03, 06) S_TABU_CLI
BBPSHOWVD SYST
S_TABU_DIS (ACTVT: 02, 03) S_TRANSLAT (ACTVT: 02)
Administrator
Application Monitors
BBPADM_ COCKPIT
AAAB
B_BUPA_ATT
February 2005
40
Authorizations

BBP_MON_ SC BBP_CTR_ MON
Authorization Group
B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT B_BUPR_FDG B_CCARD S_RFC
S_RFC
S_TCODE
SAP_EC_BBP_ADMI Monitor NISTRATOR Shopping Carts SAP_BBP_STAL_AD Monitor Contract MINISTRATOR Distribution SAP_BBP_MULTI_A DMINISTRATOR
Monitor Business BBP_SUPP Partner _MONI Synchronization with Backend Manage User Data Edit Internal Addresses Manage Business Partners Edit External Addresses Edit Attributes BBP_CLEA NER BBPUSER MAINT BBPADDRI NTC BBPMAINI NT BBPADDRI NTV BBPATTRM BBP AINT
S_TCODE BBP_BUYER BBP_FUNCT BBP_PD_AUC (03) BBP_PD_BID (03) BBP_PD_CNF (03) BBP_PD_CTR (03) BBP_PD_INV (03) BBP_PD_PCO (03) BBP_PD_PO (03) BBP_PD_QUO (03) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_IM_1 M_BBP_PC BC_A S_ADMI_FCD S_ARCHIVE S_BTCH_ADM S_BTCH_JOB S_BTCH_NAM
February 2005
41
Authorizations
Authorization Group
S_CTS_ADMI S_DATASET S_ENQUE S_GUI S_RZL_ADM S_TABU_CLI S_TABU_DIS S_USER_AGR S_USER_AUT S_USER_GRP S_USER_PRO S_USER_SYS S_USER_TCD S_USER_VAL S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_XMI_PROD
S_RFC
S_TCODE
BC_C
S_DEVELOP S_DOKU_AUT S_PROGRAM S_TRANSPRT
BC_Z
S_APPL_LOG S_IDOCCTRL S_IDOCDEFT S_IDOCMONI S_IDOCPART S_IDOCPORT S_IDOCREPA S_NUMBER S_SCD0 S_WF_WI S_WFAR_OBJ S_WFAR_PRI
February 2005
42
Authorizations
Authorization Group
HR
PLOG P_TCODE
S_RFC
S_TCODE
Create Vendor (Dummy)

SAP_EC_BBP_CRE ATEVENDOR
Request Vendor or Bidder
BBPMAINN AAAB EW
B_BUPR_BZT
BBPMAINNEW
S_TCODE
Create User (Dummy)

SAP_EC_BBP_CRE ATEUSER
Create User
BBPAT03
AAAB
B_BUPA_RLT
BBPAT03
Forgotten Username / Password
BBPAT04
S_TCODE
BBPAT04
BC_A
S_USER_AGR S_USER_GRP S_USER_PRO S_USER_TCD
SU01
HR
PLOG
Subscribe Marketplace
SAP_EC_BBP_SUB SCRIBE_MARKETPL C
Subscribe to EBP on Marketplace
BBPSUBSC AAAB RIBE
B_BUPA_RLT
ARFC
BBPSUBSCRIBE
S_RFC
BBP_ATTR_ ORG BBP_ATTR_ PD BBP_FRAM EWORK BBPFAKEW P RFC1 RSAN SDIFRUNTI ME SSCV SU_USER SWOR SYST SYSU
S_TCODE BC_A S_USER_AGR S_USER_GRP S_USER_PRO S_USER_TCD HR PLOG
February 2005
43
Authorizations
2) ABAP Roles for SRM 4.0 (SUS Deployment)

Roles/ Technical Names Order Processor
SAP_EC_SUS_ORDER_PROCE SSOR
Folder
Purchase Orders
Menu Entry
All New Changed In Process Confirmed Partially Confirmed
Authorization Authorization Objects Group

AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF) BBP BBP_FUNCT BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2235) BC_A S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) BC_Z S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG
Administration Messages
Own Data Read Messages
HR
SAR Processor
SAP_EC_SUS_SAR_PROCESS OR
Scheduling Agreement Releases
All New Changed In Process Confirmed Partially Confirmed
AAAB
B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF)
BBP
BBP_FUNCT BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2235)
BC_A
S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)
BC_Z
S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG
HR
February 2005
44
Authorizations
Roles/ Technical Names Invoicer

SAP_EC_SUS_INVOICER
Folder
Purchase Orders Confirmations ASN Invoices
Menu Entry
All Approved Sent All In Process Invoiced Approved

AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF) BBP BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2231, BUS2232, BUS2233, BUS2234, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) BC_Z S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG
Rejected Create Administration Own Data
BC_A
Messages
Read Messages
HR
Dispatcher
SAP_EC_SUS_DISPATCHER
Purchase Orders ASN
Confirmed All In Process Sent
AAAB
Own Data Read Messages BBP
BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2231, BUS2232, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)
BC_A
BC_Z
S_BDS_DS (ACTVT: 03; CLASSNAME: DEVC_STXD_BITMAP; CLASSTYPE: OT) PLOG
HR
Service Agent
SAP_EC_SUS_SERVICE_AGEN T
Purchase Orders Confirmations
Confirmed All In Process Returned Approved
AAAB
B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT
February 2005
45
Authorizations
Folder
Menu Entry
Rejected

S_TCODE (SICF) BBP BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2233, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05) HR PLOG
Administration
Own Data
Messages
Read Messages
BC_A
Service Manager
SAP_EC_SUS_MANAGER
Purchase Orders Confirmations
Confirmed All In Process Returned Approved Rejected
AAAB
BBP BC_A
BBP_FUNCT (GLOB_ACCSS) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)
HR
PLOG
The Service Manager is allowed to search for and display his own confirmations and those of ALL Service Agents.
Vendor Administrator
SAP_EC_SUS_ADMIN_VENDOR
Administration
Create User Search User Own Data Company Data Customer Overview
AAAB
B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT S_TCODE (SICF, SU01)
Messages
Read Messages BBP BC_A
BBP_SUS_PD (ACTVT: 03; BBP_OBJTYP: BUS2235) S_ADMI_FCD (NADM) S_USER_AGR S_USER_GRP S_USER_PRO
HR
PLOG
February 2005
46
Authorizations
Roles/ Technical Names Purchaser Administrator

SAP_EC_SUS_ADMIN_PURCHA SER
Folder
Administration
Menu Entry
Create User Search User Own Data

AAAB B_BUPA_ATT B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT (ACTVT: 01, 02, 03) B_BUPR_BZT S_TCODE (SICF, SU01) BBP BC_A BBP_SUS_PD (ACTVT: 02, 03; BBP_OBJTYP: BUS2235) S_ADMI_FCD (NADM) S_USER_AGR S_USER_GRP S_USER_PRO HR PLOG
Messages
Process Messages Read Messages
Bidder
SAP_EC_SUS_BIDDER
Bid Invitations
AAAB BC_A
S_TCODE (SICF) S_ADMI_FCD (NADM)
February 2005
47
Authorizations
3) Catalog Content Management Roles

If you want to use the CCM roles /CCM/CATALOG_MANAGER and /CCM/CATALOG_APPROVER, make the appropriate settings in the Implementation Guide (IMG) under Supplier Relationship Management -> SRM Server -> Cross-Application Basic Settings -> Roles -> Define Roles.
February 2005
48
Authorizations
4) Portal Roles (for Enterprise Portal 6.0)

Portal Role/ Top Level Entry SRM_Employee Go Shopping iView
Request
iView (technical name)

ebp.bbpsc18
Component
EBP
Shop Order Status Confirm Goods Receipt Enter Invoice / Credit Memo Inbox OLD Approval Change my Settings Change Attributes User Management
BBPSC02 BBPSC04 ebp.bbpcf02 ebp.bbpiv02 BBPBWSP ebp.bbpbwsp_simple ebp.bbpat05 ebp.bbpattrmaint um.usermanagement
EBP EBP EBP EBP EBP EBP EBP EBP UM
User Settings
Change my Settings
ebp.bbpat05
EBP
Change Attributes User Management
ebp.bbpattrmaint um.usermanagement
EBP UM
SRM_Manager Approval and Analysis
Approval
ebp.bbpapproval ebp.bbpbwsp_simple BBPMAINMANAGER bw.costcenterinfo 0TPL_0BBP_C02_Q1003_V002001 bw.shopcostinfo 0TPL_0BBP_SC_Q014_V01 0TPL_SR_VE_SERVICEPROVIDER ebp.bbpat05 ebp.bbpattrmaint um.usermanagement
EBP
Process Company Data Cost Center Information Shopping Cart Information Service Provider Information Change my Settings Change Attributes User Management
EBP BW BW BW EBP EBP UM
SRM_Purchasing_Assistant/ Professional Shopping
Shop
ebp.BBPSC01
EBP
Enter Purchase Order Response Order Status
ebp.bbpPCO02 ebp.bbpsc04
EBP EBP
February 2005
49
Authorizations
Portal Role/ Top Level Entry
iView
Process Public Templates Confirm Goods/Services Centrally Enter Invoice/Credit Memo Centrally Shopping Cart Information Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening

ebp.bbpSC05 ebp.bbpcf03 ebp.bbpiv03 bw.shopcostinfoassistant 0TPL_BBP_SC_Q003_V0302 BBP_BW_SC4 BBP_BW_SC3 /sap/ros_prescreen/main.do
Component
EBP EBP EBP BW EBP EBP SUS
SRM_Operational_Purchaser/ Operational Purchasing
Process Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Schedule Monitoring Held Purchase Orders Pending Shopping Carts Analysis SC per Cost Center Analysis SC per Product Sourcing Process Global Outline Agreement Process Contracts Contract Usage Process Auctions Process Bid Invitation Shop Order Status Process Public Templates Confirm Goods/Services Centrally
EBP.BBP_POC
EBP
ebp.bbp_ppf BBPPCO02 BBPPCO01 bw.schedulemonitor 0TPL_0BBP_DS1_Q013_V002 bw.heldoders 0TPL_0BBP_PO_Q007_V02 bw.pendingcarts 0TPL_0BBP_SC_Q004_V02 BBP_BW_SC4 BBP_BW_SC3 ebp.bbpsoco01 BBP_CTR_SEARCC ebp.bbp_ctr_main bw.contractusage 0TPL_0BBP_CT_Q004 BBP_AUCTION com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBPSC01 BBPSC04 BBPSC05 BBPCF03
EBP EBP EBP BW BW BW EBP EBP EBP EBP EBP BW EBP EBP EBP EBP EBP EBP
February 2005
50
Authorizations
iView
Enter Invoice/Credit Memo Centrally Edit Addresses Display Changes

BBPIV03 BBPADDRINTV BBP_SUPP_MONI
Component
EBP EBP EBP
SRM_Strategic_Purchaser/ Strategic Purchasing
Spend Analysis
bw.spendanalysis 0TPL_0BBP_C01_Q036034 bw.supplierallocation 0TPL_SR_GLS_SUPPL_ALLOC bw.vendorportfolioanalysis 0TPL_SR_VE_PORTFOLIO bw.topvendors 0TPL_SR_VE_TOPVENDORS com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBP_AUCTION bw.contractanalysis 0TPL_0BBP_CT_Q003 BBP_CTR_MAINCC BBP_CTR_MAIN ebp.bbp_ppf_cont BBPPCO01 ebp.bbpavlmaint bw.relationshipanalysis 0TPL_0BBP_C01_Q03032 bw.vendorprofile 0TPL_SR_VE_PROFILE ebp.bbpmainint ebp.bbpaddrintv 0TPL_BBP_C01_Q039 0TPL_BBP_C01_Q027 0TPL_BBP_PO_Q005_V02 BBPWLRA01
BW
Supplier Allocation Vendor Portfolio Analysis Top and Bottom Vendors Process Bid Invitation Process Auction Contract Analysis Process Global Outline Agreement Process Contracts Issue Contracts Process Purchase Order Response Process Vendor List Relationship Analysis Vendor Profile Manage Business Partners Edit External Addresses Measure EBP-Project Success Workload per Purchasing Group Workload Workload Reassignment
BW BW BW EBP EBP BW EBP EBP EBP EBP EBP BW BW EBP EBP BW BW BW EBP
SRM_Content_Manager/ Content Management
Import Product Master Hierarchies Import Products Process Products
BBP_CT_SCM_STAGING
EBP
BBP_CT_STAGING ebp.commpr01
EBP EBP
February 2005
51
Authorizations
iView
Activate Products

ebp.commpr02
Component
EBP
SRM_Component_Planner/ Component Planning
Orders
ebp.bbpor01
EBP
Projects Change Settings
ebp.bbpps01 BBPAT05
EBP EBP
SRM_Recipient/ Goods Receipt
Confirm Goods / Services Centrally Find Goods Recipient Open Item Analysis
ebp.bbpcf03
EBP
ebp.bpp_pm01 (ebp.bbp_pm01) bw.openitemanalysis 0TPL_BBP_DS1_Q002009
EBP BW
SRM_Accountant/ Accounting
Enter Invoice / Credit Memo Centrally Issue Document Backend Posting (Hosted) Invoice Analysis
ebp.bbpiv03
EBP
BBP_TRIGG_MEN BBPBC1 bw.invoiceanalysis 0TPL_BBP_DS1_Q002
EBP EBP BW
SRM_Administrator/ SRM Administration
User Management
um.usermanagement
UM
Application Monitors Monitor Shopping Carts Monitor Contract Distribution Monitor Business Partner Manage Business Partners Manage User Data Edit External Addresses Edit Internal Addresses
ebp.bbpadm_cockpit ebp.bbp_mon_sc BBP_CTR_MON BBP_SUPP_MONI ebp.bbpmainint ebp.bbpusermaint ebp.bbpaddrintv ebp.bbpaddrintc
EBP EBP EBP EBP EBP EBP EBP EBP
Content Approver/ CCM_Catalog_Approver
Approve Catalog Entries
/CCM/CAT_CDC/CDC_MAIN.do
CCM
Application Monitors
ebp.bbpadm_cockpit
EBP
Catalog Manager/
Edit Catalogs
BSP_APPLICATION: /CCM/CAT_CDC/CDC_MAIN.do
CCM
February 2005
52
Authorizations
Portal Role/ Top Level Entry CCM_Catalog_Manager
iView
Component
Create Supplier Catalog
BSP_APPLICATION: /CCM/CAT_sup_catalog/create_sup_c at.htm BSP_APPLICATION: /CCM/CAT_pub_catalog/create_pub_c at.htm BSP_APPLICATION: /CCM/cat_supplier/start.htm BSP_APPLICATION: /CCM/CAT_PROTOCOL/display_proto cols.htm
CCM
Create Procurement Catalog Edit Supplier Data Display Log
CCM
CCM CCM
February 2005
53
Authorizations
Changes to the Authorization Check

As of Supplier Relationship Management (SRM) 4.0, the authorization check has been refined. Authorization objects used in previous releases have been replaced by new ones that include authorization parameters and authorization fields. As of Supplier Relationship Management (SRM) 4.0, the authorization check has been refined. Authorization objects used in previous releases have been replaced by new ones that include authorization parameters and authorization fields. The fields responsible purchasing organization (PORG), responsible purchasing group (PGR) and business transaction type have been added to the authorization field activity. Document checks in combination are possible: This allows control of the permitted function per document type and also a differentiation on organizational level. Example: A purchaser in purchasing group PGR123 is assigned to the role SAP_EC_BBP_PURCHASER and has the authorization object BBP_PD_PO - SRM: Process Purchase Orders, allowing the purchaser to create, change, display, print, and delete purchase orders (in the standard system). If the purchasing group object is restricted to PG123 , the purchaser can only process purchase orders that belong to this group and not all purchase orders without restriction. The purchaser might have less extensive authorization (for example display authorization) for other purchasing groups.
1. Document check
Checks whether a user can access a document (shopping cart, purchase order, and so on) with a particular function (change, delete, and so on). Check fields:
o o o o
PORG PGR Transaction type Activity (prior to SRM 4.0 the only check field)
New object BBP_PD_AUC BBP_PD_BID BBP_PD_CNF BBP_PD_CTR BBP_PD_INV BBP_PD_PCO BBP_PD_PO BBP_PD_QUO BBP_PD_VL BBP_PD_SC
Old object M_BBP_AUC M_BBP_BID M_BBP_CONF M_BBP_CTR M_BBP_I_IN
SRM document Live auction Bid invitation Confirmation Contract Invoice Purchase order response
M_BBP_PO M_BBP_Q_IN
Purchase order Bid Vendor list Shopping cart
Live Auction Authorization object: BBP_PD_AUC
February 2005
54
Authorizations
You can define that purchasers are only able to enter or display auctions for certain purchasing organizations and purchasing groups.
Bid invitation Authorization object: BBP_PD_BID You can define that purchasers are only able to enter, display, or publish bid invitations for certain purchasing organizations and purchasing groups.
Enter confirmation Authorization object: BBP_PD_CNF The purchasing organization and purchasing group fields are not checked.
Contracts Authorization object: BBP_PD_CTR You can define that purchasers are only able to enter and display contracts for certain purchasing organizations and purchasing groups.
Enter invoice Authorization object: BBP_PD_INV The purchasing organization and purchasing group fields are not checked.
Purchase orders Authorization object: BBP_PD_PO You can define that purchasers are only able to enter and display purchase orders for certain purchasing organizations and purchasing groups.
Bids Authorization object: BBP_PD_QUO You can define that purchasers are only able to display, accept, or reject bids for certain purchasing organizations and purchasing groups.
Vendor list Authorization object: BBP_PD_VL You can define that purchasers are only able to enter, display, or change vendor lists for certain purchasing organizations and purchasing groups.
Shopping cart Authorization object: BBP_PD_SC When you create and change shopping carts, no checks occur. In the Shopping Cart Status service, the system checks whether the current user is authorized to change, print, or delete shopping carts. If not, the relevant icons are not displayed. Since, in the status, the system only displays shopping carts belonging to the user, a check of organizational units is unnecessary.
Sourcing Cockpit
February 2005
55
Authorizations
Authorization object: BBP_PD_SC
When an item is transferred to the work area, the system checks against activity SO. 2. Check of special functions
When a transaction is called, the system checks the check object S_TCODE. If a transaction is included in a role, the appropriate authorization is automatically assigned during profile generation. SRM contains several services/functions that are not checked using S_TCODE (but these should not be available for all users). The authorization object BBP_FUNCT provides a simple access authorization: Checked value in field BBP_FUNCT CR_COMPANY MON_ALERTS CR_ASSETS BE_F4_HELP EVAL_VEND
New object BBP_FUNCT BBP_FUNCT BBP_FUNCT BBP_FUNCT BBP_FUNCT
Old object BBP_BUYER M_BBP_ADM M_BBP_ASS M_BBP_SHLP M_BBP_VE
Service/function Create purchasing company Access to monitors and alerts Create assets Call input help in R/3 Vendor evaluation
3. Check during vendor access

When vendors access an EBP System directly (not via SUS) to create purchase order confirmations (transaction BBPCF01 ) and invoices BBPIV01) or to submit bids (BBP_QUOT), these are not assigned to a purchasing organization or a purchasing group. These authorization parameters are not used. Business object type and activity are used for checking. New object BBP_VEND BBP_VEND BBP_VEND Old object M_BBP_I_EX M_BBP_Q_EX M_BBP_SES SRM document Invoice Bid Purchase order confirmation
4. Checks in SUS
In SUS, checks are mainly performed in conjunction with the authorization object BBP_SUS_PD. The object contains the two parameters: BBP_OBJTYP Object type (with possible values) BUS2230 SUS Purchase Order BUS2231 Shipping Notification BUS2232 SUS Purchase Order Response BUS2233 SUS Confirmation BUS2234 SUS Invoice BUS2235 SUS Notification and ACTVT Activity 02 Create, change
February 2005
56
Authorizations
03 Display 09 Display price (for purchase order)
SUS users are employees working for a supplier and are therefore not assigned to a purchasing organization and a purchasing group. Generally, you can only control whether a user can display certain object types (with or without price) or change them. In the case of confirmations, the system also uses the authorization object BBP_FUNCT with the value GLOB_ACCSS to check whether a user wants to confirm all confirmations sent to the supplier.
5. Other Checks
Some authorization objects were already checked prior to SRM 4.0 and have not been changed in the scope of the new authorization concept: BBP_BUDGET Authorization for budget check The object controls whether a user can use the budget display (activity 03) or whether the user can also branch to the evaluation in BW (activity 28). M_BBP_PC Procurement card master data This object checks in transaction BBM1 whether the user is allowed to display and change procurement card master data. The checked parameters are: o o o o PCINS PCNUM PCBEGRU Procurement card company Procurement card number Authorization group
PCMAS_ACT Authorization activity for procurement card master Note: The following value assignment is valid for the authorization field PCMAS_ACT and differs from the standard activity ACTVT: 01 = Create 02 = Change 03 = Display 04 = Display list 05 = Delete
/SAPCND/CM Maintenance of conditions (product master, contract) You can use this to control to what extent a user can create and change master data for conditions.
6. Programmed Restrictions in the Transactions

User restrictions are defined for some applications using the attributes in the organizational plan (cost center, account assignment category, requester, and so on). In the shopping cart, purchase order, confirmation, and invoice applications, these attributes are used for default values and are not used to control user activity. In the shopping cart, a user can only order goods for him/herself or for other users for which he is allowed to buy on behalf of. (Transaction PPOMA_BBP, attribute Requester) In workflow, the Approval Limits and Personal Budget attributes control the workflow relevance and processor determination. See the relevant SRM documentation in the Knowledge Warehouse. Application-based Customizing has an authorization-like effect in workflow and in the HR organization model: In workflow, processor assignment controls how approvers/reviewers are added. In the HR organizational model, fine control for attribute maintenance authorization is achieved using table BBP_ATTR_ACCESS.
February 2005
57
Authorizations
7. Checks in the Product Master and Partner Maintenance

Product master maintenance
The following authorization objects are checked in product master maintenance:

Object COM_PRD Field ACTVT Values 01, 02, 03, 06
General checks for product masters When you start transaction COMMPR01 several authorization checks are carried out simultaneously with one of the activities listed above. COM_ASET ACTVT 03 Reading attributes
/SAPCND/CM
ACTVT /SAPCND/AP /SAPCND/US /SAPCND/CT /SAPCND/TY
01, 02 BBP PR SAP001, SAP118 01PV
Creating and changing conditions data
Partner Maintenance The following authorization objects are checked in partner maintenance (supplier view): Object Field Values
BBP_FUNCT BBP_FUNCT CR_COMPANY General check to establish whether the user can create business partners PLOG PPFCODE DISP PLVAR 01 OTYPE US, O INFOTYP 1000, 1222, 1001, 5500, 5501, 5502, 5503 SUBTYP 0020, A490, 0200, A002 Authorization checks during maintenance of personnel planning data and organizational structures. B_BUPA_RLT ACTVT 03 Checks which business partner roles can be processed.
8. Other Checks
In User Maintenance (transaction SU01) on the Personalization tab, there are several Personalization Objects available for workflows (BBP_WFL_SECURITY, BBP_APPROVAL_LIMIT, BBP_SPENDING_LIMIT) and shopping carts (BBP_USER_BUDGET). You can use these to restrict the authorizations of users or to define value limits for control of approval workflows. BAdIs have been integrated into the selection screens. These allow customers to further restrict the selected quantities. In the Business Information Warehouse (BW), authorization tables are read before the results list is tailored to the calling user. (Authorization checks are not carried out, but access to the database is controlled appropriately.) It is only possible to define several Companies in the hosted scenario. Consideration of Companies is hard-coded. Note:
February 2005
58
Authorizations
o o
The authorization profiles have to be regenerated after a system update because of the new authorization objects (transaction PFCG - Role Maintenance). The new authorization check is used as standard. If you do not want to use it, you can revert back to the previous authorization check: IMG: Supplier Relationship Management -> SRM Server -> Master Data -> Create User -> Switch Back to Old Authorization Checks (SRM 3.0) (If the indicator is set, the old authorization objects are used. If not, only the new ones are used for checking.) If required, you can enhance the standard checks. You can use the BAdI BBP_PD_AUTH_CHECK Further Authorization Check for SRM Documents to do this.
February 2005
59
Appendix
Appendix
Virus Checking of Document Attachments
SRM provides you with the opportunity to check office documents that you attach to SRM documents with a virus scanner before they are stored in the database. You must have a virus scanner installed and must have configured it correctly. For more information, see SAP Implementation Guide --> SAP Web Application Server -> System Administration -> Virus Scanner Interface. The virus scanning functions in SRM are activated when you implement BAdI BBP_ATT_CHECK. SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains a structure that is used in SRM for storage of attachments. The field PHIO_FNAME contains the file name and the tabular field PHIO_CONTENT contains the file part of the attachment (where the actual file is stored). Viruses are dealt with in the implementation. For example, the data part is deleted. An implementation of the function BBP_PD_MSG_ADD is also important. The messages from this function are transferred to the user interface.
February 2005
60
Appendix
Related Guides
For more information about the security of SAP applications, see: http://service.sap.com/security and http://service.sap.com/securityguide.
Documentation mentioned and pointed to in this Guide: Area/ Topic SRM Guide/ Documentation SRM Master Guide Link: http://service.sap.com /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM /ibc-srm -> Catalog Content Management -> Business Scenario Configuration Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide Search and Classification (TREX) /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Installation Guide: Live Auction Cockpit 2.0 /security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide Administration of SAP WAS and SAP NetWeaver Components: SAP NetWeaver Technical Operations Manual Network and Communication Security
CCM TREX
CCM Configuration Guide TREX 6.1 Installation Guide LAC 2.0 Installation Guide SAP NetWeaver '04 Security Guide NetWeaver Technical Operations Manuals Network and Communication Security
LAC
NetWeaver
SAP Technical Infrastructure SAP Web AS
Network Integration
/network Network Integration of SAP Servers
SAP Web AS Security Guide
/security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide -> Security Guides for the SAP NetWeaver Components -> SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology User Authentication Internet Transaction Server Security Authentication and Single Sign-On
SSL
Network and Transport Layer Security
Network and Transport Layer Security
February 2005
61
Appendix
J2EE
Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine Configuring the Use of SSL on the SAP J2EE Engine
Security Guide for Connectivity with the SAP J2EE Engine
J2EE (SSL)
Transport Layer Security on the SAP J2EE Engine
Configuring the Use of SSL on the SAP J2EE Engine SAProuter ITS Administration Guide RFC/ICF Security Guide SAP Web Dispatcher, Configuring the SAP Web Dispatcher to Support SSL TCP/IP Ports used by SAP Applications Security Aspects for BSP /security -> Security in Detail -> SAP Security Guides ->SAP Exchange Infrastructure (XI) Security Guides -> SAP Exchange Infrastructure Security Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide - SAP Exchange Infrastructure 3.0 /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Configuration Guide - SAP XI 3.0 SAP Business Information Warehouse Security Guide
SAProuter ITS RFC SAP Web Dispatcher (Application Gateway)
SAProuter Documentation ITS Administration Guide RFC Security Guide SAP Web Dispatcher Documentation Ports Settings Security Aspects for BSP XI Security Guide
TCP/ IP Ports BSP XI
XI Installation Guide XI Configuration Guide SAP BW (BI) SAP Business Information Warehouse Security Guide EP Security Guide
Enterprise Portal
Portal Platform Security Guide
You can find more guides related to the NetWeaver platform on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> SAP NetWeaver -> Installation You can find SRM-related guides on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> mySAP Business Suite Solutions -> mySAP SRM
February 2005
62
Appendix
Additional Information
Special Information for the Live Auction Cockpit 2.0
(Only relates to the SRM scenario Strategic Sourcing with LAC WPS 2.0.)
Which part of Live Auction should be set up in which network segment? The client portion of Live Auction (Java applet) is deployed on the Internet. The applet communicates with the LAC on J2EE (6.40) server. Therefore the external user has to allow the applet to be downloaded. The server portion (Web AS) should be located on the LAN. The SAP system (R/3) should be located on the LAN. Where exactly is data stored? System configuration data is stored in properties files on the WAS. (System configuration data is shipped with the system.) Runtime transactional data is stored in the database of the SAP system. (Transactional data is stored during run-time of the application.) No temporary data is stored anywhere else. Which type of data access is required at what point in time? Read access of system configuration data is required during server start-ups. Read and write accesses to transactional data are required during run-time. What level of protection is recommended for which data? Administration system permissions should be used to restrict access to Live Auction properties configuration in the WAS Visual Administrator. Customers must ensure that only system administrators should have access to WAS Visual Administrator. Configuration data in WAS Visual Administrator are protected by a password. Password Encryption Access to WAS Visual Administrator needs a password: This password is set during the installation of WAS. For the LAC scenario, the username is J2EE_ADMIN and password is what was set by the first accessing user (normally a consultant). Only a dummy password is stored as a file in the deployment EAR file before deployment of the application. Once the application is deployed, the value is internally encrypted in the database in J2EE and can only be accessed through J2EE Visual Administrator. After the deployment, you it is necessary to change the password via the Visual Administrator. (The Visual Administrator tool can be configured for the use of SSL. So the communication between Visual Administrator and J2EE server can be secured.) (In UME [part of the part of the J2EE 6.40], the properties values are stored in the same way. It is not necessary to encrypt the content of the password to be stored as real values in DB since communication between Visual Admin and J2EE server can be secure as well.) RFC users should be created for RFC/JCo connections to the SAP Systems. JCO-RFC-Password for Live Auction to SRM server:
February 2005
63
Appendix
The dummy password that is store in the LAC deployable application is required for the RFC connection between the Live Auction application and the SRM Server. Once WAS has been installed and the LAC application has been deployed, it is necessary to use the WAS Visual Administrator to configure this JCO-RFC-Password/ Username so that the live auction application can run. (At present, this JCO RFC password is visually encrypted as ***** when it is entered just like in R/3 transaction SU01. A consultant with administrator authorization on the J2EE engine can only reset the password, just like in the R/3 transaction SU01.)
Does the application require an Internet browser as the user interface? The SRM Live Auctions client (Java Applet) requires an Internet browser. Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets. Which RFC/JCo destinations are delivered/required? The Live Auction application will establish RFC connections via JCo. (There is no need to maintain RFC destinations in SM 59 for Live Auction since the JCo server is not used.)
What is the minimum authorization required by the communication user for RFC/JCo connections? The communication user can be defined as a system user in a production system where this is no need for JCo/ABAP debugger. If the debugger needs to be used, the communication user must be defined as a dialog user. Furthermore, the user must have both purchaser and supplier profiles for Live Auction. (In a productive system, a dialog (RFC) user always represents a limited security risk.)
SSO and SAP Logon Tickets The SRM Live Auctions application uses UME API to verify Single-Sign-on tickets. No user data is replicated since all user data is in EBP Bidding Engine in SRM Server. (User data synchronization is not required.) By default, the SRM Live Auctions application accepts SAP Logon Tickets. Details for Login Scenario for SRM Live Auction:Purchaser and Bidder log into SRM through the standard login page. Inside the Bidding Engine auction user interface (Sourcing Cockpit) the Live Auction applet is launched. For Single-Sign-on and user validation the Java user management client is used. If the applets URL is directly typed into the browser window, the user is validated through UME 4.0 and redirected to a UME 4.0 login page. After successful login he gets redirected back to the applet.
February 2005
64
Appendix
SAP J2EE Server 6.40 UME4.0 SRM Server

User
ITS
Launch Applet thru SSO
SRM Live Auction

UME Logon App
Authorization and Roles No roles are delivered with Live Auction. All roles are delivered with SRM Server. Customers do not need to create any additional roles.
Are authorization technologies other than roles used? Yes, bidders must be added to an auctions invitation list in order to view and bid on that auction using Live Auction. Bidders are added into this invitation list (in the SRM Server system) when the auction is created. Since this is a private auction (Bidding Engine) there is no self-registration or subscription.
February 2005
65
Appendix
Specific Information on Catalog Content Management 1.0

(Affects the SRM scenarios Self-Service Procurement, Catalog Content Management, and Strategic Sourcing.)
Logon/Users/Password There are two ways to create users for SAP Catalog Search Engine:
1. Create named users in SAP Catalog Search Engine:

The users then logon to SAP Catalog Search Engine directly or using Single Sign-On. SAP recommends that you use this method. (This is the standard method. If EBP and CCM run in different systems/clients, an identical user is applied in the CCM and in EBP system and a Trust Relation between CCM and EBP is established.) In this way, the view determination in the catalog can be done for each user and catalog individually. If this is your scenario, you can skip the next point. 2. Usage of the call structure of the Open Catalog Interface (OCI) in the SAP Enterprise Buyer system to provide user names and passwords: Some customers are used to providing a user name and password through the OCI (Open Catalog Interface) call for which then the views are determined. In other words, the views in the catalog are determined by the user provided in the OCI call instead of the real user (SSO). In such cases, you have to enter a service user in the ICF of the catalog search engine (transaction SICF). The catalog session is then always executed with this service user as logon user, but then you have to provide a CCM user and CCM password in the OCI call. The system checks the user name and password provided, and then view determination is run for this user or an error message is displayed if it was not correct. (The service user needs authorization to execute the search. The CCM user is required to detect the views.) The disadvantage of this option is that both user name and password of the service user are stored in Customizing. As a result, these details are displayed in the URL field when the catalog is called. Optional Parameter: Name ccm-user ccm-password Value <user-ID> <password for user above> Type Fixed value Fixed value
For security reasons, we recommend that you create named users in SAP Catalog Search Engine and that users use Single Sign-On to logon.
For more information on both options, see SAP Service Marketplace at http://service.sap.com/ibc-srm -> Catalog Content Management -> CCM Business Scenario Configuration Guide, chapter: Configuring SAP Catalog Search Engine
February 2005
66

Application Security Guide SRM4.0

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Application Security Guide SRM4.0

Uploaded by

Copyright:

Available Formats

Application Security Guide

Technical System Landscape ........................................................17

Network Security and Communication Security ..........................22

Network Security..................................................................................25 Communication Destinations .............................................................25

User Administration and Authentication ......................................27

Related Guides .....................................................................................61 Additional Information.........................................................................63

Target Groups Technical consultants System administrators

Important SAP Notes

Other Security Guides

Overview of the Scenarios

Software Component Matrix

BSP SAP BW 3.5

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0

R/3 3.1i SAP ECC 5.0 MM FI / CO

XI Proxy XI Int. Framew. Engine

XI Proxy XI Int. RFC Framew. Engine TREX 6.1 (Contracts)

XI Cont. SRM Server 5.0

SAP SRM SERVER 5.0

BSP SAP BW 3.5

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0

R/3 3.1i SAP ECC 5.0 FI / CO R/3 Plug_In

BSP SAP SRM SERVER 5.0 SUS XI Proxy XI Int.

XI Proxy XI Int. Framew. Engine

XI Int. Framew. Engine

RFC Framew. Engine

XI Cont. SRM Server 5.0

XI Cont. CCM 1.0

Catalog Content Management

Catalog Content Management

SAP CCM 1.0

SAP SRM SERVER 5.0

XI Proxy XI Int. Framew. Engine

XI Proxy XI Int. RFC Framew. Engine

XML Catalog Upload

XI Cont. SRM Server 5.0

BSP SAP BW 3.5

SAP CCM 1.0

BI CONT 3.5.2 R/3 Plug_In

SAP SRM SERVER 5.0

R/3 3.1i SAP ECC 5.0 MM R/3 Plug_In

SAP LAC WPS 2.0

XI Proxy XI Int. Framew. Engine

XI Proxy XI Int. Framew. Engine TREX 6.1

XI Cont. SRM Server 5.0

R/3 3.1i SAP ECC 5.0 MM FI / CO

SAP SRM SERVER 5.0

Technical System Landscape

Technical System Landscape

Exchange of Data via External User Interfaces

Technical System Landscape

External Users Access via Application Gateway (ITS and BSP)

Firewall Internal Zone

SRM Server 5.0

R/3 3.1i SAP ECC 5.0

SAP CCM 1.0

SRM Server 5.0

SAP Basis 6.40 SAP Kernel 6.40 (incl. ITS 6.40)

Technical System Landscape

External Users Access to Java Applet (LAC WPS)