Download - SG SAPMII 122 Security Guide
Security GuideSAP Manufacturing Integration and Intelligence 12.2
Target Audience
n Technology consultantsn System administrators
PUBLICDocument version: 1.1 ‒ 11/25/2010
Document History
Caution
Before you start the implementation, make sure you have the latest version of this document. Youcan find the latest version at the following location: https://service.sap.com/instguides.
The following table provides an overview of the most important document changes.VersionDateDescription
Version Date Description
Version1.0
6/16/20 Initial installation
1.1 11/25/2010 Added Chapters 3, 7, 9, 10, 13, and 14
2/42 PUBLIC 11/25/2010
Table of Contents
Chapter 1 SAP Manufacturing Integration and Intelligence . . . . . . . . . 5
Chapter 2 Technical System Landscape . . . . . . . . . . . . . . . . . 7
Chapter 3 Security Aspects of Data, Data Flow and Processes . . . . . . . . 9
Chapter 4 User Administration and Authentication . . . . . . . . . . . . 11
Chapter 5 Authorizations . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 6 Session Security Protection . . . . . . . . . . . . . . . . . . 15
Chapter 7 Session Security Protection on the AS Java . . . . . . . . . . . . 17
Chapter 8 Network and Communication Security . . . . . . . . . . . . . 19
Chapter 9 Communication Channel Security . . . . . . . . . . . . . . . 21
Chapter 10 Network Security . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 11 Communications Destinations . . . . . . . . . . . . . . . . 25
Chapter 12 Data Storage Security . . . . . . . . . . . . . . . . . . . . 27
Chapter 13 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 14 Enterprise Services Security . . . . . . . . . . . . . . . . . 31
Chapter 15 Security Logging and Tracing . . . . . . . . . . . . . . . . . 33
Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 35A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . 35
11/25/2010 PUBLIC 3/42
4/42 PUBLIC 11/25/2010
1 SAP Manufacturing Integration and Intelligence
1 SAP Manufacturing Integration andIntelligence
The SAP Manufacturing Integration and Intelligence (SAP MII) is powered by the SAP NetweaverComposition Environment (SAP NetWeaver CE) 7.1 EHP1. Therefore, the corresponding SecurityGuides also apply to the SAP MII. Pay particular attention to the most relevant sections or specificrestrictions as indicated in the table below.Fundamental Security Guides
Scenario, Application or Component Security Guide
SAP NetWeaver CE 7.1 EHP1 SP05 -http://help.sap.com/saphelp_nwce711core/helpdata/en/45/a3f4af42f90d36e10000000a114a6b/frameset.htm
For a complete list of the available SAP Security Guides, see http://service.sap.com/securityguideon the SAP Service Marketplace.
11/25/2010 PUBLIC 5/42
This page is left blank for documentsthat are printed on both sides.
2 Technical System Landscape
2 Technical System Landscape
SAP MII supports several inbound and outbound communications channels. External systems caninteract with SAP MII through the following channels:
n HTTP
n HTTPS
n Web service
n IDoc
n RFC
n Enterprise JavaBeans (EJB)n Java Message Services (JMS)
All requests to SAP MII must go through the SAP User Management Engine in SAP ERP for basicauthentication or single sign-on (SSO) authentication.All user interaction with SAP MII is handled in HTTP or HTTPS and must go through the SAPuser management engine for authentication.For communication with SAP ERP, you can use the SAP Java Resource Adapter (SAP JRA), SAP JavaConnector (SAP JCo), or Web services. For security reasons, we recommend SAP JRA instead of SAPJCo. For more information about configuring an SAP JRA connection to an ERP system, see the SAPNetWeaver CE application help on the SAP Help Portal at http://help.sap.com/nwce.Different SAP MII systems communicate through virtual servers using HTTPS communicationchannels. For security reasons, we recommend you always use HTTPS.For communication with shop floor systems, you can use the SAP xApp Manufacturing Integrationand Intelligence Universal Data Servers (SAP xMII UDS). Communication between SAP MII and SAPxMII UDS is based on TCP/IP and uses a proprietary binary protocol. For more information aboutSAP xMII UDS, see the SAP Help Portal at http://help.sap.com Composite Applications CompositeApplications Manufacturing Integration and Intelligence SAP xMII UDS 4.0 .You can integrate SAP MII into SAP NetWeaver Development Infrastructure (NWDI) using an HTTPScommunication channel. All requests from SAP MII to NWDI go through the SAP user managementengine for authentication on the NWDI side. For more information, see the security guide for SAPNetWeaver CE on the SAP Service Marketplace at http://service.sap.com/securityguide.
11/25/2010 PUBLIC 7/42
This page is left blank for documentsthat are printed on both sides.
3 Security Aspects of Data, Data Flow and Processes
3 Security Aspects of Data, Data Flowand Processes
The figure below shows an overview of the process flow for the SAP MII.
Figure 1:
The table below shows the security aspect to be considered for the process step and what mechanismapplies.
Step Description Security Measure
Web Pages ( HTML/JSP/IRPT)communicates to AS Java
Secured protocol HTTPS isrecommended
Applets communicates to AS Java Secure applet ‒ servlet connectionis used
11/25/2010 PUBLIC 9/42
3 Security Aspects of Data, Data Flow and Processes
Step Description Security Measure
SAP MII Business transactioncommunicates with SAP BusinessSystem
SAP Jco, SAP JRA or Web servicescan be used. For security reasonsSAP JRA is recommended.
SAP Data Server communicateswith Database and UDS
TCP/IP and proprietary binaryprotocol is used
SAP MII communicates with SAPNWDI
All requests from SAP MIIto NWDI are through SAuser management engine forauthentication on the NWDI side.HTTPS Communication channelis used.
10/42 PUBLIC 11/25/2010
4 User Administration and Authentication
4 User Administration and Authentication
SAP MII uses the user management and authentication mechanisms provided with the SAPNetWeaver platform, in particular the SAP NetWeaver Application Server Java. Therefore, the securityrecommendations and guidelines for user administration and authentication as described in the SAPNetWeaver Application Server Java Security Guide also apply to SAP MII. For more information, seethe SAP Help Portal at http://help.sap.com/nwce SAP NetWeaver Composition Environment LibraryAdministrator’s Guide SAP NetWeaver CE Security Guide Security Guides for CE Core Components SAPNetWeaver Application Server Java Security Guide .In addition to these guidelines, we include information about user administration and authenticationthat specifically applies to SAP MII.
User Management
User management for SAP MII uses the mechanisms provided with SAP NetWeaver ApplicationServer Java, such as tools and password policies. SAP MII does not support the SAP NetWeaverTechnical User concept.
User Administration Tools
User management and user administration in SAP MII is handled by the SAP User ManagementEngine in SAP ERP.
Standard Users
There are no standard users provided with SAP MII. You must create users in the SAP UserManagement Engine in SAP ERP.
Integration Into Single Sign-On Environments
SAP MII supports the SSO mechanisms provided by SAP NetWeaver CE. Therefore, the securityrecommendations and guidelines for user administration and authentication as described in the SAPNetWeaver CE Security Guide also apply to SAP MII. The supported mechanisms are as follows:
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using remotefunction calls.For more information, see Secure Network Communications (SNC) in the SAP NetWeaver Application ServerSecurity Guide.
11/25/2010 PUBLIC 11/42
4 User Administration and Authentication
SAP Logon Tickets
SAP MII supports the use of logon tickets for SSO when using a Web browser as the front-end client.In this case, users can be issued a logon ticket after they have authenticated themselves with the initialSAP system. The ticket can then be submitted to other systems (SAP or external systems) as anauthentication token. The user does not need to enter a user ID or password for authentication butcan access the system directly after the system has checked the logon ticket.You can find more information under Logon Tickets in the SAP NetWeaver Application Server Security Guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browseras a front-end client can also provide X.509 client certificates to use for authentication. In this case,user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSLProtocol) and no passwords have to be transferred. User authorizations are valid in accordance withthe authorization concept in the SAP system.You can find more information under Client Certificates in the SAP NetWeaver Application Server SecurityGuide.
12/42 PUBLIC 11/25/2010
5 Authorizations
5 Authorizations
SAPMII uses the authorization concept provided by SAPNetWeaver. Therefore, the recommendationsand guidelines for authorizations as described in the SAP NetWeaver Application Server Java Security Guideapply to SAP MII.The SAP NetWeaver authorization concept is based on assigning authorizations to users based onroles. For role maintenance, use the user administration console in the SAP User ManagementEngine in SAP ERP.
Note
For more information about how to create roles, see Creating Authorization Roles in the SAP NetWeaverCE Library help at http://help.sap.com/nwce.
You should assign the users that you set up in the SAP User Management Engine in SAP ERP to thefollowing default roles for SAP MII:
n SAP_XMII_UserUsers assigned to this role have read access but no access to administration screens or the SAP MIIWorkbench.
n SAP_XMII_DeveloperUsers assigned to this role have access to the SAP MII Workbench and some administration screens,such as Time Periods, Connection Store Editor, and Credential Store Editor.
n SAP_XMII_AdministratorUsers assigned to this role have the same permissions as users assigned to the SAP_XMII_User andSAP_XMII_Developer roles, plus administration access except for the following: NWDI integrationconfiguration, encryption configuration, and import and export of configuration data.
n SAP_XMII_Super_AdministratorUsers assigned to this role have access to all SAP MII functions with no limitations.
n SAP_XMII_Read_OnlyUsers assigned to this role have read permission for administration screens and access to theSAP MII Workbench without save permission.
n SAP_XMII_DynamicQueryUsers assigned to this role have permission to run dynamic queries (queries without a querytemplate). By default, this permission is granted to users assigned to the SAP_XMII_Developer rolebut not the SAP_XMII_User role. You can assign this role to specific or all users.
11/25/2010 PUBLIC 13/42
5 Authorizations
For more information, see the SAP MII 12.2 Installation Guide on the SAP Service Marketplace athttp://service.sap.com/instguides SAP Business Suite Applications SAP Manufacturing SAPManufacturing Integration and Intelligence SAP MII 12.2 .In the SAP MII system, you can assign the following components to SAP User Management Engine inSAP ERP roles:
n Data serversFormore information, seeData Servers in the SAPMII applicationhelp at http://help.sap.com SAPBusiness Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .
n TransactionsFormore information, see Transaction in the SAPMII application help at http://help.sap.com SAPBusiness Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .
n Query and display templatesFor more information, see Query Template and Display Template in the SAP MII application help athttp://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration andIntelligence .
Note
Assignments to the previous SAP MII components are saved to SAP MII internal tables and arenot persisted in the SAP User Management Engine in SAP ERP repository; therefore, they are notaccessible to SAP risk management tools, such as compliant user provisioning, for tracking criticalauthorization combinations.
14/42 PUBLIC 11/25/2010
6 Session Security Protection
6 Session Security Protection
To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s), werecommend activating secure session management.We also highly recommend using SSL to protect the network communications where thesesecurity-relevant cookies are transferred.
11/25/2010 PUBLIC 15/42
This page is left blank for documentsthat are printed on both sides.
7 Session Security Protection on the AS Java
7 Session Security Protection on the ASJava
In the Config Tool, edit the following properties for the Web Container service, which controlsecurity-related aspects of HTTP sessions:
Property Recommended Value
SessionIdRegenerationEnabled True
SystemCookiesDataProtection False
NoteSAP MII does not support this property.
SystemCookiesHTTPSProtection True
For more information and detailed instructions, see Session Security Protection [external document] inthe AS Java Security Guide.These properties are supported from MII 12.2 SP02 or higher.You cannot pass sessions between clients if you have set the SessionIdRegenerationEnabled property totrue. For an SAP MII user, the administrator will have to provide credentials for every test andexecution of the webpage fromMII Workbench while developing content on SAP MII. To avoid this,you have to configure Single Sign On feature of AS Java. SPNego login module or X.509 client certificateauthorization can be used to enable Single Sign On in AS Java environment.For more details on configuring SPNego or X.509 based Single Sign On on NW7.11 platform, referSAP Note 1538719.
11/25/2010 PUBLIC 17/42
This page is left blank for documentsthat are printed on both sides.
8 Network and Communication Security
8 Network and Communication Security
Your network infrastructure is important in protecting your system. Your network needs to supportthe communication necessary for your business needs without allowing unauthorized access. Awell-defined network topology can eliminate many security threats based on software flaws (at boththe operating system and application level) or network attacks such as eavesdropping. If users cannotlog on to your application or database servers at the operating system or database layer, there is noway for intruders to compromise the machines and gain access to the backend system’s database orfiles. Additionally, if users cannot connect to the server local area network (LAN), they cannot exploitwell-known bugs and security holes in network services on the server machines.The network topology for SAP MII is based on the topology used by the SAP NetWeaver platform.Therefore, the security guidelines and recommendations described in the SAP NetWeaver CE SecurityGuide also apply to SAP MII. Details that specifically apply to the SAP MII are described in the followingtopics:
n Communication Channel SecurityThis topic describes the communication paths and protocols used by the SAP MII.
n Network SecurityThis topic describes the recommended network topology for the SAP MII. It shows the appropriatenetwork segments for the various client and server components and where to use firewalls foraccess protection. It also includes a list of the ports needed to operate the SAP MII.
n Communication DestinationsThis topic describes the information needed for the various communication paths, for example,which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
n Network and Communication Security [external document]n Security Aspects for Connectivity and Interoperability [external document]
11/25/2010 PUBLIC 19/42
This page is left blank for documentsthat are printed on both sides.
9 Communication Channel Security
9 Communication Channel Security
The table below shows the communication channels used by the SAP MII, the protocol used forthe connection and the type of data transferred.
CommunicationPath Protocol Used Type of Data TransferredData Requiring SpecialProtection
Frontend client usinga Web browser toapplication server
HTTPS All application data Credential Store Data,ConfigurationsImport/export
Application server to SAPERP
SAP JRA, SAP JavaConnector (SAP JCo),Webservices
All Business Data
Application server to SAPERP SAP JRA, SAP JavaConnector (SAP JCo),Webservices. All BusinessData Application serverto another Applicationserver
HTTPS All Business Data
Application server toshop floor systems
TCP/IP All Business Data
Application server to SAPNWDI
HTTPS All MII Content files
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPconnections are protected using the Secure Sockets Layer (SSL) protocol.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security [external document] in the SAP NetWeaver SecurityGuide.
11/25/2010 PUBLIC 21/42
This page is left blank for documentsthat are printed on both sides.
10 Network Security
10 Network Security
SAP MII applets require that you are logged on to SAP MII using HTTP or HTTPS. We recommendthat you use HTTPS.You can logon to a SAP MII with a username and password in the URL or for use in programmaticcalls. This function is included for legacy support only. We recommend that you use HTTPS andpost the username and password parameters rather than include them in the URL. An SAP MIIproprietary binary protocol is used for communication between SAP MII and SAP xMII UDS forincreased transmission speeds. The content of the stream can be sniffed out due to the format of theprotocol. Therefore, communication between the UDS and SAP MII should be transmitted on asecure network. If you are assigned to the SAP_XMII_DynamicQuery role, you can run queries from aURL or a query template. If you are not assigned to this role, you can only run queries when a querytemplate is specified. The mode and data server for the query cannot be changed.When you parameterize SQL queries, you can insert SQL since the Param.x fields are inserted directlyinto the SQL statements before being run. The parameters and SQL are not validated, so you shoulduse caution when parameterizing queries.For more information, see the Network Security and Security Aspects for Database Connectionssections.
11/25/2010 PUBLIC 23/42
This page is left blank for documentsthat are printed on both sides.
11 Communications Destinations
11 Communications Destinations
SAP MII does not deliver preconfigured RFC or JCo destinations or ports.
11/25/2010 PUBLIC 25/42
This page is left blank for documentsthat are printed on both sides.
12 Data Storage Security
12 Data Storage Security
All passwords used in SAP MII content are encrypted based on the SAP MII encryption configuration.Depending on their availability, the SAP MII administrator can select between TripleDES or DESencryption. If encryption is not available (for example, due to export restrictions), passwords areBase64-encoded. Since Base64 encoding is not an encryption method, it is not secure. We recommendthat you use TripleDES for encryption of passwords in SAP MII.The encryption key is automatically generated for every SAP MII installation and cannot be seen orchanged. The SAP MII encryption key is stored in the SAP NetWeaver Secure Storage service of theunderlying SAP NetWeaver installation. For more information, see the SAP NetWeaver CE Security Guide.Credentials, or the combination of a user name and password, are maintained in the SAP MIIcredential store and stored in an encrypted form in the SAP MII database.
Caution
SAPMII custom actions API provides access to secure storage where user credentials are stored. Everycustom action running on an SAP MII server is readable. Since this function is open, only deployreliable custom action packages to your SAP MII system.
SAP MII users and administrators do not have access to the persisted passwords. If you have writeaccess to the SAP MII Workbench and can create transactions, you can reuse credentials in the SAPMII credential store. For more information about credentials, see the SAP MII application help on theSAP Help Portal at http://help.sap.com SAP Business Suite SAP Manufacturing SAP ManufacturingIntegration and Intelligence .When you export SAP MII configuration settings, you must choose an encryption algorithm andenter a pass phrase. All password information in the selected SAP MII configuration is then decryptedwith the SAP MII key that is stored in the SAP NetWeaver Secure Storage service, encrypted againusing the algorithm and pass phrase, and persisted as a ZIP file on the client machine. On the targetSAP MII system, you have to enter the encryption algorithm and pass phrase, then the systemunpacks, decrypts, and encrypts the configuration from the ZIP file according to the encryptionsettings of the target SAP MII system.
Caution
Since the encryption algorithm and pass phrase may have to be communicated to others so it can bemanually entered in the target system, you should take additional security measures to protect thisinformation against misuse. Anyone who knows the encryption algorithm and pass phrase coulddecrypt the credential information and misuse it.
11/25/2010 PUBLIC 27/42
This page is left blank for documentsthat are printed on both sides.
13 Ports
13 Ports
The MII runs on SAP NetWeaver and uses the ports from the AS Java. For more information, see thetopics for AS Java Ports [external document] in the corresponding SAP NetWeaver Security Guides.
11/25/2010 PUBLIC 29/42
This page is left blank for documentsthat are printed on both sides.
14 Enterprise Services Security
14 Enterprise Services Security
The following chapters in the NetWeaver Security Guide and documentation are relevant for allenterprise services delivered with SAP MII:
n Security Guide Web Services [external document]n Recommended WS Security Scenarios [external document]n SAP NetWeaver Process Integration Security Guide
Currently, SAP MII does not support SystemCookiesDataProtection indicator of AS Java. Turn off theindicator in Display Templates screen.
11/25/2010 PUBLIC 31/42
This page is left blank for documentsthat are printed on both sides.
15 Security Logging and Tracing
15 Security Logging and Tracing
Security-relevant changes are logged using a separate category (/system/security/audit/XMII) inthe standard SAP User Management Engine in SAP ERP logging file.Security permissions for data servers and services are written to the security log with the xMIISecurity category. The data includes the previous value and the value to which the securitypermission was changed.Security permissions for transactions and templates are also written to the same log, but only astatus change is noted.
11/25/2010 PUBLIC 33/42
This page is left blank for documentsthat are printed on both sides.
A Reference
A Reference
A.1 The Main SAP Documentation Types
The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software.
Cross-Phase Documentation
SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, aswell as many glossary entries in English and German.
n Target group:l Relevant for all target groups
n Current version:l On SAP Help Portal at http://help.sap.com Glossary
l In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes.
n Target group:l Consultants
l System administratorsl Project teams for implementations or upgrades
n Current version:l On SAP Help Portal at http://help.sap.com (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions forraising security levels. A collective security guide is available for SAP NetWeaver. This documentcontains general guidelines and suggestions. SAP applications have a security guide of their own.
n Target group:l System administratorsl Technology consultantsl Solution consultants
n Current version:l On SAP Service Marketplace at http://service.sap.com/securityguide
Implementation
Themaster guide is the starting point for implementing an SAP solution. It lists the requiredinstallable units for each business or IT scenario. It provides scenario-specific descriptions of
11/25/2010 PUBLIC 35/42
A ReferenceA.1 The Main SAP Documentation Types
preparation, execution, and follow-up of an implementation. It also provides references to otherdocuments, such as installation guides, the technical infrastructure guide and SAP Notes.
n Target group:l Technology consultantsl Project teams for implementations
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
The installation guide describes the technical implementation of an installable unit, takinginto account the combinations of operating systems and databases. It does not describe anybusiness-related configuration.
n Target group:l Technology consultantsl Project teams for implementations
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform. One of its main functions is the configuration of business scenarios, business processes,and implementable steps. It contains Customizing activities, transactions, and so on, as well asdocumentation.
n Target group:l Technology consultantsl Solution consultants
l Project teams for implementationsn Current version:l In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system.The Customizing activities and their documentation are structured from a functional perspective.(In order to configure a whole system landscape from a process-oriented perspective, SAP SolutionManager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)
n Target group:l Solution consultants
l Project teams for implementations or upgradesn Current version:l In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver, and precedes the application operations guides of SAP Business Suite. The manual refers
36/42 PUBLIC 11/25/2010
A ReferenceA.1 The Main SAP Documentation Types
users to the tools and documentation that are needed to carry out various tasks, such as monitoring,backup/restore, master data maintenance, transports, and tests.
n Target group:l System administrators
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
The application operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed. It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks.
n Target group:l System administratorsl Technology consultantsl Solution consultants
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
Upgrade
The upgrade master guide is the starting point for upgrading the business scenarios and processes ofan SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up ofan upgrade. It also refers to other documents, such as upgrade guides and SAP Notes.
n Target group:l Technology consultantsl Project teams for upgrades
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
The upgrade guide describes the technical upgrade of an installable unit, taking into accountthe combinations of operating systems and databases. It does not describe any business-relatedconfiguration.
n Target group:l Technology consultantsl Project teams for upgrades
n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides
Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release. Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG).
n Target group:
11/25/2010 PUBLIC 37/42
A ReferenceA.1 The Main SAP Documentation Types
l Consultants
l Project teams for upgradesn Current version:l On SAP Service Marketplace at http://service.sap.com/releasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
38/42 PUBLIC 11/25/2010
Typographic Conventions
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system, for example, “Enter your <User Name>”.
ExampleExample
Arrows separating the parts of a navigation path, for example, menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in thedocumentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example n Words or characters quoted from the screen. These include field labels, screen titles,pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works
Example n Output on the screen following a user action, for example, messagesn Source code or syntax quoted directly from a programn File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,transaction codes, database table names, and key concepts of a programming languagewhen they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
11/25/2010 PUBLIC 39/42
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +49/18 05/34 34 34F +49/18 05/34 34 20
www.sap.com
© Copyright 2010 SAP AG. All rights reserved.
Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implementedby Netscape.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germanyand other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence,Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarksor registered trademarks of Business Objects Software Ltd. in the United States and in other countries.All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall notbe liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services, if any. Nothing hereinshould be construed as constituting an additional warranty.
This document was created using stylesheet 2007-12-10 (V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON 6.5.2from Michael Kay (http://saxon.sf.net/), XSLT version 1.
40/42 PUBLIC 11/25/2010
DisclaimerSome components of this product are based on Java™. Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited, as is any decompilation of these components.Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified oraltered in any way.
Documentation in the SAP Service MarketplaceYou can find this document at the following address: http://service.sap.com/instguides
11/25/2010 PUBLIC 41/42
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com
© Copyright 2010 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may bechanged without prior notice.