sap environment, health, and safety management

Security GuideSAP Environment, Health, and Safety ManagementDocument Version: 1.2 – 2014-10-01

PUBLIC

SAP Environment, Health, and Safety ManagementComponent Extension 5.0 for SAP EHS Management

2

Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.

SAP Environment, Health, and Safety ManagementDocument History

Document History

Disclaimer

SAP – Important Disclaimers

SAP Library document classification: PUBLIC

This document is for informational purposes only. Its content is subject to change without notice, and SAP doesnot warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OFMERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

Coding Samples

Any software coding and/or code lines / strings ("Code") included in this documentation are only examples andare not intended to be used in a productive system environment. The Code is only intended to better explain and

Version Date Change

1.0 2014-05-12 First published version

1.1 2014-08-28 Adapted to release restrictions

1.2 2014-10-1 Changes for feature package 1:

- Chapter 5.3.1.2: Following roles added:

-- SAP_EHSM_HSS_HSMGRCORP

-- SAP_EHSM_HSS_SMPLTECH

- Chapter 5.4: Following authorization objects with following values added:

-- S_PB_CHIP

--- X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_ALOC_VB_CHIP

--- X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_APPR_LOC_CHIP

--- X-SAP-WDY-CHIP: EHFND_UI_CHM_SAFETY_INSTR_CHIP

--- X-SAP-WDY-CHIP:EHHSSUCWCHP_SPLCP

--- X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP_HEATMAP

--- X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLPH

-- S_PB_PAGE

--- EHHSS_HSMGRCORP_HOMEPAGE

--- EHHSS_SMPLTECH_HOMEPAGE

- Chapter 5.4.1.3: Following authorization objects changed or added:

-- EHHSS_CHA renamed to EHFND_CHA

-- EHFND_SPL (Sample Management) and EHFND_SPLM (Sampling Method)added

SAP Environment, Health, and Safety ManagementDocument History

Public© 2014 SAP SE or an SAP affiliate company. All

rights reserved. 3

visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completenessof the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code,except if such damages were caused by SAP intentionally or grossly negligent.

Internet Hyperlinks

The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hintwhere to find supplementary documentation. SAP does not warrant the availability and correctness of suchsupplementary documentation or the ability to serve for a particular purpose. SAP shall not be liable for anydamages caused by the use of such documentation unless such damages have been caused by SAP's grossnegligence or willful misconduct

Accessibility

The information contained in the SAP Library documentation represents SAP's current view of accessibilitycriteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensureaccessibility of software products. SAP specifically disclaims any liability with respect to this document and nocontractual obligations or commitments are formed either directly or indirectly by this document

4


SAP Environment, Health, and Safety ManagementTable of Contents

Table of Contents

1 Introduction.............................................................................................................................................. 61.1 Target Audience .......................................................................................................................................................61.2 Why is Security Necessary? .................................................................................................................................... 71.3 About this Document ............................................................................................................................................... 71.4 Overview of the Main Sections................................................................................................................................ 7

2 Before You Start .................................................................................................................................... 102.1 Fundamental Security Guides .............................................................................................................................. 102.2 Fundamental Security Guides .............................................................................................................................. 102.3 Important SAP Notes............................................................................................................................................. 10

3 Technical System Landscape ................................................................................................................ 12

4 User Administration and Authentication .............................................................................................. 144.1 User Management ................................................................................................................................................. 14

4.1.1 User Administration and User Management Tools ............................................................................ 144.1.2 User Types ............................................................................................................................................. 154.1.3 Standard Users ...................................................................................................................................... 15

4.2 User Data Synchronization ................................................................................................................................... 174.3 Integration into Single Sign-On Environments .................................................................................................... 17

5 Authorizations ........................................................................................................................................ 185.1 Role and Authorization Concept for SAP EHS Management ............................................................................. 185.2 Authorizations for RFC Calls ................................................................................................................................. 185.3 Standard Roles ....................................................................................................................................................... 18

5.3.1 Scenario Health and Safety ................................................................................................................. 205.3.2 Scenario Product Compliance ............................................................................................................ 22

5.4 Standard Authorization Objects .......................................................................................................................... 245.4.1 Scenario Health and Safety ................................................................................................................. 285.4.2 Scenario Product Compliance ............................................................................................................ 35

5.5 Critical Combinations ............................................................................................................................................375.6 Portal Permissions .................................................................................................................................................375.7 Creating Custom Roles......................................................................................................................................... 38

6 Session Security Protection ..................................................................................................................396.1 Session Security Protection on the AS ABAP .................................................................................................... 396.2 Session Security Protection on the AS Java ...................................................................................................... 39

7 Network and Communication Security ................................................................................................ 407.1 Communication Channel Security ...................................................................................................................... 40

7.1.1 Secure Offline Communication with SAP Interactive Forms by Adobe .......................................... 427.2 Network Security .................................................................................................................................................. 427.3 Ports ....................................................................................................................................................................... 437.4 Communication Destinations .............................................................................................................................. 43

SAP Environment, Health, and Safety ManagementTable of Contents

Public© 2014 SAP SE or an SAP affiliate company. All

rights reserved. 5

8 Data Storage Security .......................................................................................................................... 448.1 Person-Related Information ................................................................................................................................ 44

8.1.1 Summary of Tables Containing Person-Related Data ...................................................................... 448.1.2 Logging Access to Person-Related Data .............................................................................................47

9 Security for Additional Applications ................................................................................................... 48

10 Dispensable Functions with Impacts on Security ............................................................................... 49

11 Other Security-Relevant Information .................................................................................................. 5011.1 SAP NetWeaver Business Client as User Front End .......................................................................................... 5011.2 Documents (including Virus Scanner) ................................................................................................................ 5011.3 Forms and E-Mails Containing Java Script ......................................................................................................... 50

12 Security-Relevant Logging and Tracing ............................................................................................... 51

13 Services for Security Lifecycle Management ....................................................................................... 5213.1 Security Chapter in the EarlyWatch Alert (EWA) Report .................................................................................. 5213.2 Security Optimization Service (SOS) .................................................................................................................. 5213.3 Security Configuration Validation ....................................................................................................................... 5213.4 Security in the RunSAP Methodology / Secure Operations Standard ............................................................ 5313.5 More Information .................................................................................................................................................. 53

6


SAP Environment, Health, and Safety ManagementIntroduction

1 Introduction

CautionThis guide does not replace the administration or operation guides that are available for productiveoperations.

1.1 Target Audience

Technology consultants

Security consultants

System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical OperationManuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereasthe Security Guides provide information that is relevant for all life cycle phases.

You can find the guides for SAP EHS Management as specified in the table below:

Overview of Guides for SAP EHS Management

Guide Definition Link

SAP EHS ManagementMaster Guide

The central starting point for the technicalimplementation of the SAP EHSManagement add-on. Get an overview ofSAP EHS Management, its software units,system landscapes, and find importantSAP Notes.

http://service.sap.com/instguides SAP Business Suite Applications SAP EHS Management

Component Extension for SAP EHSManagement Release 4.0

SAP EHS ManagementOperations Guide

Information for technical and solutionconsultants as well as support specialistsand system administrators aboutmanaging and maintaining your SAPapplications to run optimally.

SAP EHS ManagementSizing Guide

Information for system administrators,technical project managers, andconsultants about sizing, calculation ofhardware requirements, such as CPU, diskand memory resource.

http://service.sap.com/instguides

SAP Environment, Health, and Safety ManagementIntroductionPublicPublic

Public

7© 2014 SAP SE or an SAP affiliate company. All rights

reserved.

1.2 Why is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands onsecurity are also on the rise. When using a distributed system, you need to be sure that your data and processessupport your business needs without allowing unauthorized access to critical information. User errors,negligence, or attempted manipulation of your system should not result in loss of information or processing time.These demands on security apply likewise to component extension 4.0 for SAP Environment, Health, and SafetyManagement (SAP EHS Management). To assist you in securing SAP EHS Management, we provide this SecurityGuide.

Data protection is very important in the following examples:

In incident management, you have critical person-related information regarding absences or injuries.

In risk assessment, personal data about the risk assessment lead and the other persons involved in a riskassessment are displayed.

Component extension 4.0 for SAP EHS Management assumes that agreements for storage of personal data arecovered in individual work contracts. This also applies to notifications on initial data storage.

ExampleSeveral business processes within SAP EHS Management use SAP Business Workflow and e-mailinbound and outbound processing. It is not recommended that you grant the corresponding system users(such as WF_BATCH for Workflow System or SAPCONNECT for e-mail inbound processing) allauthorizations of the system (SAP_ALL). In addition, this document describes the required authorizationsand configuration for supporting business processes using SAP Business Workflow and the e-mailinbound and outbound scenario within the SAP EHS Management solution.

1.3 About this Document

The Security Guide provides an overview of the security-relevant information that applies to SAP EHSManagement.

1.4 Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and referencesto other Security Guides that build the foundation for this Security Guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by SAPEHS Management.

Security Aspects of Data, Data Flow and Processes

This section provides an overview of security aspects involved throughout the most widely-used processes withinSAP EHS Management.

8


SAP Environment, Health, and Safety ManagementIntroduction

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

o Recommended tools to use for user management

o User types that are required by SAP EHS Management

o Standard users that are delivered with SAP EHS Management

o Overview of the user synchronization strategy, if several components or products are involved

o Overview of how integration into Single Sign-On environments is possible

Authorizations

This section provides an overview of the authorization concept that applies to SAP EHS Management.

Session Security Protection

This section provides information about activating secure session management, which prevents JavaScript orplug-ins from accessing the SAP logon ticket or security session cookie(s).

Network and Communication Security

This section provides an overview of the communication paths used by SAP EHS Management and thesecurity mechanisms that apply. It also includes our recommendations for the network topology to restrictaccess at the network level.

Internet Communication Framework Security

This section provides an overview of the Internet Communication Framework (ICF) services that are used bySAP EHS Management.

Application-Specific Virus Scan Profile (ABAP)

This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profilesare activated.

Data Storage Security

This section provides an overview of any critical data that is used by SAP EHS Management and the securitymechanisms that apply.

Data Protection

This section provides information about how SAP EHS Management protects personal or sensitive data.

Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are usedwith SAP EHS Management.

Dispensable Functions with Impacts on Security

This section provides an overview of functions that have impacts on security and can be disabled or removedfrom the system.

Enterprise Services Security

This section provides an overview of the security aspects that apply to the enterprise services delivered withSAP EHS Management.

Other Security-Relevant Information

This section contains information about:

o SAP NetWeaver Business Client as a user front end

o Interactive forms

o E-mails with PDF attachments

o Documents (including virus scanner)

SAP Environment, Health, and Safety ManagementIntroductionPublicPublic

Public


reserved.

Security-Relevant Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant information, forexample, so you can reproduce activities if a security breach does occur.

Services for Security Lifecycle Management

This section provides an overview of services provided by Active Global Support that are available to assistyou in maintaining security in your SAP systems on an ongoing basis.

Appendix

This section provides references to further information.

10


SAP Environment, Health, and Safety ManagementBefore You Start

2 Before You Start

2.1 Fundamental Security Guides

SAP EHS Management is built from the following components:

o SAP NetWeaver

o SAP Portal

o SAP BI

o SAP Embedded Search (SAP NetWeaver Enterprise Search)

o SAP BusinessObjects

o SAP Interactive Forms

Therefore, the corresponding Security Guides also apply to the SAP EHS Management. Pay particular attention tothe most relevant sections or specific restrictions as indicated in the table below.

2.2 Fundamental Security Guides

Scenario, Application or Component Security Guide

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver Business Client

SAP NetWeaver Portal Security Guides

SAP Basis / Web AS Security Guides

SAP Business Connector Security Guide

SAP NetWeaver Business Warehouse Security Guides

SAP BusinessObjects (formerly, SAP Business User)

SAP Interactive Forms solution Security Guides

SAP NetWeaver Enterprise Search 7.2.Security Guide

For a complete list of the available SAP Security Guides, see SAP Service Marketplace athttp://service.sap.com/securityguide.

2.3 Important SAP Notes

The most important SAP Notes that apply to the security of SAP EHS Management are shown in the table below.

http://service.sap.com/securityguide

SAP Environment, Health, and Safety ManagementBefore You StartPublicPublic

Public


reserved.

Title SAP Note Comment

128447 Trusted/Trusting Systems

510007 Setting up SSL on the WebApplication Server ABAP

517484 Inactive Services in the InternetCommunication Framework

1367252 SAP NetWeaver EnterpriseSearch 7.2: Security Guide.

1590784 EHSM: Necessary changes in theAttachment Folder Customizing

For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace athttp://service.sap.com/securitynotes.

For more information about specific topics, see the Quick Links as shown in the table below.

Content Quick Link on SAP Service Marketplace or SCN

Security http://scn.sap.com/community/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Released platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://scn.sap.com/community/netweaver

https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361706E6F7465735F6E756D6265723D31323834343726



http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1367252&_NLANG=en&_NVERS=0



http://scn.sap.com/community/security


http://service.sap.com/notes


http://service.sap.com/pam


http://service.sap.com/solutionmanager

http://scn.sap.com/community/netweaver

12


SAP Environment, Health, and Safety ManagementTechnical System Landscape

3 Technical System Landscape

The figure below shows an overview of the technical system landscape for SAP EHS Management.

For more information about the technical system landscape of SAP EHS Management, as well as integratedsystems, see the SAP EHS Management Master Guide at http://service.sap.com/instguides SAP BusinessSuite Applications SAP EHS Management Component Extension for SAP EHS Management Release 5.0.

Figure 1: 'Process Integration System Overview' depicts which functional modules are integrated into SAP EHSManagement processes and can reside on separate systems. The systems can be connected via RFC.

We assume that the central system for master data will provide the initial setup of Customizing and master datafor SAP EHS Management via Customizing transports and ALE replication (such as material master and plants).

Figure 1: Process Integration System Overview

For these RFC calls, we recommend you distribute the SAP EHS Management users to the other systems asneeded to read HR data, for example, and to enable Single Sign-On (SSO) for those users.

For more information about the technical system landscape, see the resources listed in the table below.

SAP Environment, Health, and Safety ManagementTechnical System LandscapePublicPublic

Public


reserved.

Topic Guide/Tool Quick Link on SAP Service Marketplace orSCN

Technical description for SAPEHS Management

and the underlying componentssuch as SAP NetWeaver

Master Guide http://service.sap.com/instguides

High availability See applicable documents http://scn.sap.com/docs/DOC-7848

Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140

Security See applicable documents http://scn.sap.com/community/security

http://service.sap.com/instguides

http://scn.sap.com/docs/DOC-7848

http://scn.sap.com/docs/DOC-8140


14


SAP Environment, Health, and Safety ManagementUser Administration and Authentication

4 User Administration and Authentication

SAP EHS Management uses the user management and authentication mechanisms provided with the SAPNetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the securityrecommendations and guidelines for user administration and authentication as described in the SAP NetWeaverApplication Server ABAP Security Guide [SAP Library] and SAP NetWeaver Application Server Java SecurityGuide [SAP Library] also apply to SAP EHS Management.

In addition to these guidelines, we include information about user administration and authentication thatspecifically applies to SAP EHS Management in the following topics:

User Management []

This topic lists the tools to use for user management, the types of users required, and the standard users thatare delivered with SAP EHS Management.

User Data Synchronization [Page 17]

SAP EHS Management shares user data with

o SAP EHS Management system

o Portal system

o BI system

o Other ERP systems (HR, PM, QM, and CS)

This topic describes how the user data is synchronized with these other sources.

Integration into Single Sign-On Environments [Page 17]

This topic describes how SAP EHS Management supports Single Sign-On mechanisms.

4.1 User Management

User management for SAP EHS Management uses the mechanisms provided with the SAP NetWeaverApplication Server ABAP and Java, for example, tools, user types, and password policies. For an overview of howthese mechanisms apply for SAP EHS Management, see the sections below. In addition, we provide a list of thestandard users required for operating SAP EHS Management.

4.1.1 User Administration and User Management Tools

The table below shows the tools to use for user management and user administration with SAP EHS Management.

Tool Detailed Description

User and role maintenance withSAP NetWeaver AS ABAP

For more information, see Users and Roles (BC-SEC-USR) atHelp.SAP.com.

http://help.sap.com/

SAP Environment, Health, and Safety ManagementUser Administration and AuthenticationPublicPublic

Public


reserved.

Tool Detailed Description

(transactions SU01 and PFCG)

User Management Engine withSAP NetWeaver AS Java

For more information, see User Management Engine at Help.SAP.com..

Central User Administration (CUA) Use the CUA to centrally maintain users for the various systems used bySAP EHS Management.

User Management Engine (UME)administration console

Use the Web-based UME administration console to maintain the portalrole assignments to the user of the SAP EHS Management.

Set user for Enterprise Searchdata extraction (reportESH_EX_SET_EXTRACTION_USER

Embedded Search extraction user and extraction roles have to be set upwith this report

Manage analysis authorizations(transaction RSECADMIN)

Provides all necessary tools to maintain analysis authorizations

4.1.2 User Types

It is often necessary to specify different security policies for different types of users. For example, your policy mayspecify that individual users who perform tasks interactively have to change their passwords on a regular basis,but not those users under which background processing jobs run.

The user types that are required for SAP EHS Management include:

Individual users:

o Dialog users are used for the dialog processing and for the RFC connection to the Adobe DocumentService (ADS), for example. (Used for SAP GUI for Windows or RFC connections.)

o Communication users are used for e-mail inbound processing (such as SAPCONNECT).

o Background users are used for Embedded Search extraction, BI extraction and the SAP BusinessWorkflow Engine (such as WF-BATCH).

For more information about these user types, see User Types at Help.SAP.com in the SAP NetWeaver AS ABAPSecurity Guide.

4.1.3 Standard Users

The table below shows the standard users that are necessary for operating SAP EHS Management.

Standard Users

System User ID Type Password Description

SAP EHSManagement ERPSystem

BusinessProcessingUser

Dialog User To be entered Business User of SAP EHSManagement



16


SAP Environment, Health, and Safety ManagementUser Administration and Authentication

System User ID Type Password Description

SAP EHSManagementPortal System

BusinessProcessingUser

Dialog User To be entered Business User of SAP EHSManagement mapped to theBusiness Processing User in SAPEHS Management ERP System

SAP EHSManagement BISystem

BusinessProcessingUser forReportingfunctionality

Dialog User To be entered Business User of SAP EHSManagement mapped to theBusiness Processing User in SAPEHS Management ERP System


E-mail InboundProcessinguser

Communicationuser

Not needed User to process the incoming e-mails of SAP EHS Management


BI ExtractorUser

Backgrounduser

Not needed User for the BI extraction of SAPEHS Management data


EmbeddedSearchExtractor User

Backgrounduser

Not needed User for the Embedded Searchextraction will be created via reportESH_EX_SET_

EXTRACTION_USER


WorkflowEngine batchuser

Backgrounduser

Not needed User for the backgroundprocessing of workflows in SAPEHS Management


PRC WorklistGenerationUser

Backgrounduser

Not needed User for the backgroundprocessing of product complianceworklists


PRCAutomatedChangeProcessingUser

Backgrounduser

Not needed User for the backgroundautomated processing ofcompliance data changes in theproduct compliance area


PRC SupplierChangeMonitor

Backgrounduser

Not needed User for the backgroundmonitoring of changes in supplierto material assignment

You need to create the users after the installation.

Recommendation

Users are not automatically created during installation. In consequence there is no requirement to changetheir user IDs and passwords after the installation.

SAP Environment, Health, and Safety ManagementUser Administration and AuthenticationPublicPublic

Public


reserved.

4.2 User Data Synchronization

To avoid administrative effort, you can employ user data synchronization in your system landscape.

Since SAP EHS Management is based on SAP NetWeaver, all the mechanisms for user data synchronization ofSAP NetWeaver are available for SAP EHS Management.

4.3 Integration into Single Sign-On Environments

SAP EHS Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore,the security recommendations and guidelines for user administration and authentication as described in the SAPNetWeaver Security Guide at Help.SAP.com also apply to SAP EHS Management.

The most widely-used supported mechanisms are listed below:

Secure Network Communications (SNC)

SNC is available for user authentication and provides an SSO environment when using the SAP GUI forWindows or Remote Function Calls.

SAP logon tickets

SAP EHS Management supports the use of logon tickets for SSO when using a Web browser as the front-endclient. In this case, users can be issued a logon ticket after they have authenticated themselves with the initialSAP system. The ticket can then be submitted to other systems (SAP or external systems) as anauthentication token. The user does not need to enter a user ID or password for authentication, but canaccess the system directly after the system has checked the logon ticket.

Client certificates

As an alternative to user authentication with a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authenticationis performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwordshave to be transferred. User authorizations are valid in accordance with the authorization concept in the SAPsystem.

For more information about the available authentication mechanisms, see User Authentication and Single Sign-On at Help.SAP.com in the SAP NetWeaver Library.



18


SAP Environment, Health, and Safety ManagementAuthorizations

5 Authorizations

5.1 Role and Authorization Concept for SAP EHS Management

SAP EHS Management uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java.Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver ASSecurity Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP EHS Management.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For rolemaintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’suser administration console on the AS Java.

NoteFor more information about how to create roles, see Role Administration [SAP Library].

5.2 Authorizations for RFC Calls

In SAP EHS Management, multiple BAPIs and RFC-enabled function modules are used to create, update, and readthe data of other SAP applications from (optional) other ERP systems. Thus, the authorization for using theseBAPIs and function modules (via Web Dynpro, for example), should be restricted to users who are intended tohave these authorizations and corresponding access to the data. For more information about creating roles andthe authorization concept, see "AS ABAP Authorization Concept" in http://help.sap.com SAP NetWeaver 7.4.

5.3 Standard Roles

The table below shows the standard roles that are used by SAP EHS Management.

SAP EHS Management delivers simultaneous end user roles for the ERP system and the portal system tosynchronize the menu structures for end users, regardless of whether the user has decided to use a Web browseror NetWeaver Business Client (NWBC) as a front end.

Assigning the portal role to an end user does not add any authorizations to the user. You should also assign thecorresponding PFCG role to the user in the ERP system to add the authorizations.

The following standard roles support the processes of SAP EHS Management. Technically, the services of theseroles are of the following types: Web Dynpro ABAP, Power Object Worklist (POWL), Report Launchpad, BI queries,BI dashboards based on Adobe Flash Player and transactions. Unless shown in the table below, the roles aredelivered without authorization profiles. The authorization profiles are then generated from these roles.


SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic

Public


reserved.

Standard Roles

Role Description

SAP_EHSM_MASTER Master PFCG role for all incident management, risk assessment andproduct safety and stewardship functionality. This role is intended foruse as a copy template for the menu structures of the end user rolesthat are currently assigned.

SAP_EHSM_PROCESS_ADMIM

Process Administrator

End user role for the person who is technically responsible for theworkflow-based processes of EHS Management. This role assigns themenu structure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal roleis opened via Object Based Navigation for processing the workflow item.

SAP_EHSM_HSS_BW_ANALYTICS

BI Content Analyst for HSS

End user role for the person who analyzes incidents and riskassessments, as well as the executed processes. This role contains thenavigation point Analytical Reports that includes the report launchpadfor the health and safety work area with access to all dashboards andqueries.

For this role, a SAP Business Warehouse (BW) system with BI Contentfor SAP EHS Management must be installed.

SAP_EHSM_FND_WF_BI_EXTR System user role for the extraction of BI data. This role contains theauthorization profiles needed to extract the workflow data for workflowreporting in BI.

SAP_EHSM_FND_WF_PERMISSION System user role for the Workflow Engine. This role contains theadditional authorization profiles needed to process the workflows in thebackground.

The users who process the workflows in the background should, inaddition to the SAP_EHSM_FND_WF_PERMISSION role, be assigned theSAP_BC_BMT_WFM_SERV_USER role.

For processing incident management workflows, the users should alsoreceive the same authorizations as theSAP_EHSM_HSS_INCIDENT_MANAGER role.

For processing risk assessment workflows, the users should also receivethe same authorizations as the SAP_EHSM_HSS_ENVMGR,SAP_EHSM_HSS_HYGIENIST, and SAP_EHSM_HSS_SAFEMGR.

For processing product compliance workflows, the users should alsoreceive the same authorizations as the rolesSAP_EHSM_PRC_COMPL_ENG, SAP_EHSM_PRC_COMPONENT_ENG,and SAP_EHSM_PRC_BASMAT_SPEC.

SAP_EHSM_HSS_EML_REC System user role for the e-mail recipient. This role contains theauthorization profiles needed to receive and process e-mails.

SAP_EHSM_FND_MIGRATION End user role for the migration. You use this role to access the LegacySystem Migration Workbench. Depending on the content you want tomigrate, you still need to configure and assign the corresponding

20



Role Description

business role (including the profiles).

For example, to access the incident business object and migrate theincident content, you also need theSAP_EHSM_HSS_INCIDENT_MANAGER role assigned (along with thecorresponding profiles).

NoteRestrict Data Access in Analytical Reports

In order to restrict access to data for users who execute analytical reports (BI Content), proceed asfollows:

Flag the necessary InfoObjects as being authorization–relevant.

Adjust the queries.

Define the necessary analysis authorizations.

Assign the authorizations to users. For more information, see the Security Guide for SAP NetWeaver BI.

5.3.1 Scenario Health and Safety

5.3.1.1 Standard Roles for Managing Incidents

The roles under 6.4 and the roles in the table below are relevant for incident management.

Role PFCG/Portal Description

SAP_EHSM_HSS_INCIDENT_MANAGER /

Incident Manager

End user role for the incident manager. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal role isopened via object-based navigation for processing the workflow item.

SAP_EHSM_HSS_INCIDENT_REPORTER /

Incident Reporter

End user role for the incident reporter. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

SAP_EHSM_HSS_INCIDENT_NOTIFIED /

Incident Notified

End user role for a person who is notified during the processing of anincident. This role assigns the menu structure in NWBC and portal to theend user and the necessary authorizations in the ERP system.

This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal role isopened via object-based navigation for processing the workflow item.

SAP_EHSM_HSS_INCIDENT_ES System user role for the Embedded Search extraction. This role contains


Public


reserved.


H_EXTR the authorization profiles needed to extract the BO incident for theEmbedded Search.

SAP_EHSM_HSS_INCIDENT_BI_EXTR

System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the BO incident for incident reporting in BI.

5.3.1.2 Standard Roles for Managing EHS Risks

The roles under 6.4 and the roles in the table below are relevant for risk assessment.


SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

SAP_EHSM_HSS_HYGIENIST End user role for the industrial hygienist. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

SAP_EHSM_HSS_SAFEMGR End user role for the safety manager. This role assigns the menu structurein NWBC and portal to the end user and the necessary authorizations in theERP system.

SAP_EHSM_HSS_LINEMGR End user role for the line manager. This role assigns the menu structure inNWBC and portal to the end user and the necessary authorizations in theERP system.

SAP_EHSM_HSS_RAS_BI_EXTR System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the risk assessment data for risk assessmentreporting in BI.

SAP_EHSM_HSS_HSMGRCORP End user role for the corporate health and safety manager. This roleassigns the menu structure in NWBC to the end user and the necessaryauthorizations in the ERP system.

SAP_EHSM_HSS_SMPLTECH End user role for the sampling technician. This role assigns the menustructure in NWBC to the end user and the necessary authorizations in theERP system.

5.3.1.3 Standard Roles for Managing Chemicals for Health andSafety Processes

The roles under 6.4 and the roles in the table below are relevant for Chemicals for Health and Safety Processes.

22




SAP_EHSM_HSS_HAZSUBMGR End user role for the hazardous substance manager. This role assigns themenu structure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.

For further details see role documentation.

SAP_EHSM_HSS_CHEMAPPR End user role for the chemical approver. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.


SAP_EHSM_HSS_SDSCLERK End user role for the safety datasheet clerk. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.


SAP_EHSM_HSS_CHEMREQ End user role for the chemical requestor. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.


5.3.2 Scenario Product Compliance

5.3.2.1 Standard Roles for Managing Product Compliance

The roles under 6.4 and the roles in the table below are relevant for product compliance.


SAP_EHSM_ADMINISTRATOR

Administrator

Administrator role for the person who monitors changes in master data forproduct compliance, compliance objects, and the application log. Thisperson also corrects data issues, enters data for customers and suppliers,and manually imports incoming documents either from the front-endsystem or from an application server.

SAP_EHSM_PRC_COMPL_CONSUMER

End user role for the compliance consumer. This role can be adapted foruse as four different sub-roles: purchasing agent, sales and servicesrepresentative, mechanical engineer, and electrical engineer. This user roleis responsible for maintaining awareness of regulations and compliancerequirements and, depending on the purpose, can be responsible formaintaining product knowledge and data, configuring customer orders,scheduling service requests, research, and evaluating product data, ordesigning, testing and analysis of components.

SAP_EHSM_PRC_COMPL_MGR End user role for the compliance manager. This user role monitorscompliance-related programs for product lines, and defines policies and


Public


reserved.


procedures for other departments to ensure compliance. The compliancemanager approves the manufacturing processes and equipment that willbe used in production, and supervises design compliance.

SAP_EHSM_PRC_COMPL_ENG End user role for the compliance engineer. This user role monitors dailyoperations that contribute to ensuring compliance. The complianceengineer is responsible for the company compliance data set. He or shemaintains compliance data in cooperation with the engineering teams, andcooperates with the compliance manager for up-to-date information aboutregulations. This role is involved in material-based and component-basedengineering changes and new product reviews.

SAP_EHSM_PRC_COMPONENT_ENG

End user role for the component engineer. This user role selects and workswith electrical or other components to be incorporated into futureproducts, and handles management and documentation of purchasedcomponents. The component engineer approves parts obtained externally,works closely with vendors, and ensures compliance by following theestablished procedures and policies.

SAP_EHSM_PRC_BASMAT_SPEC

End user role for the basic material specialist. This user role is responsiblefor the selection of appropriate materials and surfaces for design parts,and approves their release for use. The basic material specialist decidesthe specific application of materials and surfaces, and maintains thematerial database.

SAP_EHSM_PRC_BW_ANALYTICS

End user role for the person who analyzes product safety and stewardshipassessments, as well as the executed processes. This role contains thenavigation point Analytical Reports that includes the report launchpad forthe product safety and stewardship work area with access to alldashboards and queries.

For this role, a SAP Business Warehouse (BW) system with BI Content forSAP EHS Management must be installed.

SAP_EHSM_PRC_IMDS_BATCH IMDS Batch Job Processor

SAP_EHSM_PRC_AUTO_CHANGE_PROC

System user role for the automated change processing. This role containsthe authorization profiles needed to determine compliance informationthat is affected by a relevant change and executing the worklist of pendingcompliance information.

SAP_EHSM_PRC_REG_CHG_WLIST_PRO

System user role necessary for background processing of PRC RegulatoryChange Worklist Generation (programR_EHPRC_WL_REGCHG_GENERATE) and PRC Regulatory ChangeWorklist Post Processing (programR_EHPRC_WL_REGCHG_POST_PROC).

SAP_EHSM_PRC_SUPPL_CHNG_PROC

This role contains as a suggestion all relevant authorization data necessaryfor background processing of PRC Supplier Change Processing.

Supplier Change Monitor

24




The program R_EHPRC_PBB_SUPPL_CHNG_MON is executed inbackground processing in order to monitor changes in supplier to materialassignment and to start the workflow 'Decide and Prepare for Assessment'if necessary.

SAP_BCV_USER System user role for the display of Business Context Viewer (BCV). Thisrole contains the authorization profiles and menus needed to display a BCVside panel and the BCV configuration.

SAP_BCV_ADMIN System user role for the administration of Business Context Viewer (BCV).This role contains the authorization profiles and menus needed toadministrate the BCV configuration.

SAP_EHSM_PRC_BI_EXTR System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the compliance data for Product andStewardship reporting in BI.

SAP_EHSM_PRC_EML_REC System user role for the e-mail recipient. This role contains theauthorization profiles needed to receive and process e-mails.

5.4 Standard Authorization Objects

The table below shows the security-relevant authorization objects that are used by SAP EHS Management.

Table 2 Standard Authorization Objects

Authorization Object Field Value Description

EHFND_CHDC (ChangeDocument)

ACTVT 03 (Display) Activity

BO_NAME EHFND_LOCATION (Location)

EHHSS_INCIDENT (Incident)

EHHSS_INCIDENT_ACTION (IncidentAction)

EHHSS_RISK_ASSESSMENT (RiskAssessment)

EHHSS_RAS_ACTION (Risk AssessmentAction)

EHHSS_RISK (Risk)

EHHSS_AGENT (Agent)

EHHSS_JOB (Job)

EHFND_DATA_AMOUNT (Amount)

EHFND_DATA_SERIES (Data Series)

EHFND_CHEMICAL (Chemical)

Business ObjectName

EHFND_LOC ACTVT 01 (Create or generate)02 (Change)

Activity


Public


reserved.


(Location) 03 (Display)06 (Delete)A3 (Change status)

LOCAUTHGRP LocationAuthorizationGroup

LOCBUSAREA Business Area

LOCCOMP Company Code

LOCCOST Cost Center

LOCPLANT Plant ID

LOCSTATUS 01 (New)02 (Active)03 (Inactive)04 (Historic)

Location Status

LOCTYPE Location Type

EHFND_DCTR

(Default Controls)

ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)

Activity

S_PB_CHIP

(Chips for side panel)

ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)16 (Execute)

Activity

(03 and 16 areneeded fordisplaying theinformation in theside panel)

CHIP_NAME X-SAP-WDY-CHIP:EHFNDWDCHIP_LOC_STRUCT

X-SAP-WDY-CHIP:EHHSSWDCHIP_ASSWRKF_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_INC_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC

X-SAP-WDY-CHIP:EHHSSUCWCHP_ASSWRKF

X-SAP-WDY-CHIP:EHHSSUCWCHP_INC_LOC

X-SAP-WDY-CHIP:EHHSSUCWCHP_APPRCHEM

Web Dynpro ABAP:CHIP ID

26




X-SAP-WDY-CHIP:EHFNDUCWCHP_EASYWORKLIST

X-SAP-WDY-CHIP:EHFNDUCWCHP_LAUNCHPAD

X-SAP-WDY-CHIP:FND_UI_CHM_SAFETY_INSTR_CHIP

X-SAP-WDY-CHIP:BSSP_SW_FEEDS

X-SAP-WDY-CHIP:BSSP_SW_ACTIVITIES

X-SAP-WDY-CHIP:BSSP_NOTES

X-SAP-WDY-CHIP:EHFND_UI_CHM_OVP_ALOC_VB_CHIP

X-SAP-WDY-CHIP:EHFND_UI_CHM_OVP_APPR_LOC_CHIP

X-SAP-WDY-CHIP:EHFND_UI_CHM_SAFETY_INSTR_CHIP

X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP

X-SAP-WDY-CHIP:EHHSSUCWCHP_SPLCP_HEATMAP

X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLPH

S_PB_PAGE

(Configuration for sidepanel and home pages)


Activity

CONFIG_ID EHFND_LOC_OIF_SIDE_PANEL

EHFND_CHM_SIDE_PANEL

EHHSS_HAZSUBMGR_HOMEPAGE

EHHSS_HYGIENIST_HOMEPAGE

EHHSS_INC_MANAGER _HOMEPAGE

EHHSS_HSMGRCORP_HOMEPAGE

EHHSS_SMPLTECH_HOMEPAGE

ConfigurationIdentification

PERS_SCOPE 0 (No Personalization1 (User))2 (View Handle)4 (All)5 (Configuration)

Web Dynpro:Personalization

EHFND_DTS

(Data Series)


Activity

LOCAUTHGRP LocationAuthorization


Public


reserved.


Group



LOCPLANT Plant ID

LOCSTATUS 01 (New)02 (Active)03 (Inactive)04 (Historic)

Location Status

LOCTYPE Location Type

EHFND_WFT(Workflow Tools)

ACTVT 16 (Execute) Activity

TCD All transactions of workflow tools Transaction Code

EHFND_WFF (Workflowand Processes)

EHSM_COMP HSS (Health and Safety) Component of EHSManagement

PURPOSE Process Purpose (see Customizing activitySpecify Process Definitions)

Process Purpose

EHSM_PVAR Process Variant (see Customizing activitySpecify Process Definitions)

Name of ProcessVariant

EHSM_PCACT CANCELPROC (Cancel Process) Activity of Task orProcess

EHFND_EXPP

(Export Profile)

ACTVT 01 (Create, Generate) Activity

EHFND_EXPP Configured ExportProfile

EHFND_CHM(Chemical)


Activity

EHFND_REGL(Regulatory ListContent)


Activity

The following table contains authorization objects that are relevant for SAP EHS Management if you integrate thesystem with other SAP components.

Table 1 Authorization Objects for Integration

Authorization Object General Settings Further Information

P_ORGIN

(HR: Master data)

Display authorizations are requiredfor specific infotypes.

See Customizing for SAP EHS Managementunder Foundation for EHS ManagementIntegration Human Resources Integration

Check Authorizations for Person

28



Authorization Object General Settings Further Information

Information

P_ORGXX

(HR: Master data -extended check)

Activation of the check by thisauthorization object is required.P_ORGXX can be used in addition toor instead of the check by theauthorization object HR: MasterData.

P_APPL

(HR: Applicants)

Display authorizations are requiredfor specific infotypes.

B_BUPA_RLT

(Business partner: BProles)

Authorizations are required for thefollowing BP roles:

CBIH10 - External person

HEA010 - Physician

HEA030 - Health center (hospital)

B_BUPA_FDG

(Business partner: fieldgroups)

Special authorization check forindividual field groups in thebusiness partner dialog box.

5.4.1 Scenario Health and Safety

5.4.1.1 Authorization Objects for Managing Incidents

The authorization objects under 6.4 and the authorization objects in the table below are relevant for incidentmanagement.

Table 2 Authorization Objects for Incident Management

AuthorizationObject

Field Value Description

EHHSS_INC1(Incident)

ACCESS_LEV 000 (Basic Information /Standard Data)001 (Person InvolvedAccess)002 (Injury / IllnessAccess)003 (Confidential Access)004 (Date of Birth Access)

Incident Access Level

For more information about creatingand assigning access levels to tabs,see the Customizing activities underSAP EHS Management IncidentManagement General Information

Create Incident Access Levels

Assign Access Levels to Tabs

ACTVT 01 (Create or generate)02 (Change)03 (Display)

Activity

Note that activity Reopen has been


Public


reserved.

AuthorizationObject


06 (Delete)C5 (Reopen)

added with version 2.0. If you havealready used this authorizationobject in version 1.0, you may wantto update your roles with thisadditional activity.

INC_CATEG 001 (Incident)002 (Near Miss)003 (Safety Observation)

Incident Category

INC_STATUS ' '00 (Void)01 (New)02 (In Progress)03 (Closed)

04 (Re-opened)

Incident Record Status

ORGUNIT_ID Organizational Unit ID

PLANT_ID Plant ID

EHHSS_INC2(IncidentReport)


Activity

FORM_NAME All forms for reporting Form Name

ORGUNIT_ID Organizational Unit ID

PLANT_ID Plant ID

EHHSS_INC3(IncidentGroup)

ACTVT 02 (Change)

03 (Display)

06 (Delete)

Activity

NM_GROUP EHHSS_NMG_UNS_ACTION(Unsafe action)

EHHSS_NMG_UNS_COND (Unsafecondition)

EHHSS_NMG_UNS_EQU (Unsafeequipment)

EHHSS_NMG_UNS_USE_EQU(Unsafe use of equipment)

Near Miss Group

SO_GROUP EHHSS_SOG_DOC_PROC_NF(Documented procedure notfollowed)

EHHSS_SOG_FAIL_USE_PE(Failure to use personal protective

Safety Observation Group

30



AuthorizationObject


equipment)

EHHSS_SOG_HORSEPLAY(Horseplay)

EHHSS_SOG_UNS_LIF_CAR(Unsafe lifting or carrying)

EHHSS_SOG_UNS_USE_ETV(Unsafe use of equipment, tool orvehicle)

EHHSS_SOG_UNS_USE_MAT(Unsafe use of material)

EHHSS_SOG_USE_DEF_ETV (Useof defective equipment, tool orvehicle)

EHHSS_SOG_USE_DEF_MAT (Useof defective material)

INC_GROUP EHHSS_IGR_NOT_OF_VIOL(Notice of violation)

EHHSS_IGR_OCC_INC(Injury/illness)

EHHSS_IGR_RELEASE (Release)

Incident Group

INC_NO_GRP 1 (Incident)

2 (Near miss)

3 (Safety observation)

Incident Category

EHHSS_INC5(Incident byLocation)

ACTVT 01 (Create or generate)

02 (Change)

03 (Display)

06 (Delete)

Activity

LOCTYPE Business Unit

Equipment

Production Unit

Site

Work Center

Location Type

LOCSTATUS 01 (New)

02 (Active)

03 (Inactive)

04 (Historic)

Location Status

LOCAUTHGRP Unrestricted Access Location Authorization Group

LOCPLANT Plant ID


Public


reserved.

AuthorizationObject


LOCCOST Cost Center



LOCCOUNTRY Country

LOCREGION Region

EHHSS_CLR(Allowance toChange Limitsfor AnalyticReports)

ACTVT 16 (Execute) The execute authorization isrequired to be able to maintain limitsfor analytical reporting. Only thoseusers who have this authorizationhave an entry in the reportlaunchpad that allows users tomaintain the limits.

S_TABU_DIS DICBERCL EHMI (Incident)EHMF (Foundation)

Authorization Group

ACTVT Activity

S_PROGRAM P_GROUP EHINCXML (XML reports)

EHFNDPRG (Foundation programauthorization)

EHFNDWFT(Workflow tools)

EHHSSINC (Incidentmanagement)

Authorization group ABAP/4program

P_ACTION SUBMIT User action ABAP/4 program

5.4.1.2 Authorization Objects for Managing EHS Risks

The authorization objects under 6.4 and the authorization objects in the table below are relevant for riskassessment.

Table 3 Authorization Objects for Risk Assessment

AuthorizationObject


EHHSS_AGT

(Agent)


Activity

EHFND_CTRL

(Control


Activity

32



AuthorizationObject


Master Data) 06 (Delete)

EHFND_DSC

(DynamicStatementCreation inControl MasterData)

EHFND_DSCC DSC_MAPPING_021 Dynamic StatementCreation enabled fields

EHHSS_JOB

(Job)


Activity

EHHSS_PEP

(PersonalExposureProfile)


PERSA Personnel Area

BTRTL Personnel Subarea

EHHSS_RAS

(RiskAssessment,Risks, Controlson Risks andControlInspections)


A8 (Process mass data)

Activity

RAS_TYPE EHHSS_RAT_ENV (Environment)

EHHSS_RAT_HEA (Health)

EHHSS_RAT_JHA (Job Hazard Analysis)

EHHSS_RAT_SAF (Safety)

Risk Assessment Type

LOCAUTHGRP Location AuthorizationGroup

LOCPLANT Plant ID

LOCCOST Cost Center



EHHSS_RASP

(Proposal ofHealthSurveillanceProtocol in RiskAssessment)

ACTVT 01 Create or generate

02 Change

03 Display

06 Delete

Activity

HSP_TYPE Health SurveillanceProtocol Type

EHHSS_HSP

(Health


02 Change

Activity


Public


reserved.

AuthorizationObject


SurveillanceProtocolMaster Data)

03 Display

06 Delete

HSP_TYPE Health SurveillanceProtocol Type

COUNTRY Country Key

REGIO Region (State, Province,County)

S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group

S_PROGRAM P_GROUP EHFNDPRG (Foundation programauthorization)

EHFNDWFT (Workflow tools)

EHHSSRAS (Risk Assessment)

Authorization groupABAP/4 program

P_ACTION SUBMIT User action ABAP/4program

5.4.1.3 Authorization Objects for Managing Chemicals for Healthand Safety Processes

The authorization objects under 5.4 and the authorization objects in the table below are relevant for Chemicals forHealth and Safety Processes.

Table 6 Authorization Objects for Chemicals for Health and Safety Processes

AuthorizationObject


EHFND_CHM

(Chemical)


Activity

EHFND_CHA

(ChemicalApproval)


Activity

EHFND_DCTR

(DefaultControls)


Activity

EHFND_DSC

(Dynamic

EHFND_DSCC DSC_MAPPING_000 EHFND_DSC

(Dynamic Statement

34



AuthorizationObject


StatementCreation)

DSC_MAPPING_001

DSC_MAPPING_002

DSC_MAPPING_003

DSC_MAPPING_004

DSC_MAPPING_005

DSC_MAPPING_006

DSC_MAPPING_007

DSC_MAPPING_008

DSC_MAPPING_009

DSC_MAPPING_010

DSC_MAPPING_011

DSC_MAPPING_012

DSC_MAPPING_013

DSC_MAPPING_014

DSC_MAPPING_015

DSC_MAPPING_016

DSC_MAPPING_017

DSC_MAPPING_018

DSC_MAPPING_019

DSC_MAPPING_020

DSC_MAPPING_021

Creation)

EHFND_RCH

(RequestChemical)


Activity(01 and 02 areneeded for using theservice “requestchemical approval”

EHFND_VEN

(Vendor)


Activity

EHHSS_SI

(SafetyInstruction)


Activity

EHFND_SPL ACTVT 03 (Display)16 (Execute)

Activity


Public


reserved.

AuthorizationObject


(SampleManagement)

23 (Maintain)

EHSM_COMP Component of EHSManagement

LOCAUTHGRP LocationAuthorization Group

LOCPLANT Plant ID

LOCCOST Cost Center



EHFND_SPLM

(SamplingMethod)


Activity

S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group

S_PROGRAM P_GROUP EHFNDPRG (Foundation program authorization)

EHFNDWFT (Workflow tools)

EHHSSRAS (Risk Assessment)

Authorization groupABAP/4 program

P_ACTION SUBMIT User action ABAP/4program

5.4.2 Scenario Product Compliance

5.4.2.1 Authorization Objects for Managing Product Compliance

The authorization objects under 6.4 and the authorization objects in the table below are relevant for productcompliance.

Table 7 Authorization Objects for Product Compliance


EHPRC_CMWL(ComplianceManagement Worklist(CMWL))


Activity

WL_CAT REG_CHG (Follow-Up Regulatory Worklist Category

36




Change)

EHPRC_CPM (RCS:Campaign Usage)


Activity

EHPRC_OLM1 (RCS:Object List Usage)


Activity

EHPRC_OLGR See IMG activity Specify Object ListGroups under SAP EHSManagement -> ProductCompliance -> GeneralConfiguration

Object List Group

EHPRC_CDO: RCS:Authorization Objectfor Compliance Object


02 Change

03 Display

06 Delete

Activity

REQ ComplianceRequirement (Check)

REV_STATUS Compliance DataRevision Status

CDCATEGORY Compliance DataCategory

S_PB_CHIP(ABAP Page Builder:CHIP)

ACTVT 03 (Display)16 (Execute)

Activity

Needed for displayinginformation on the sidepanel

CHIP_NAME X-SAP-WDY-CHIP:/BCV/CHIP*

X-SAP-WDY-CHIP:EHPRC_CW_BCV_CHIP1

Web Dynpro ABAP:CHIP ID

S_PB_PAGE(ABAP Page Builder:Page Configuration)



CONFIG_ID /BCV/SIDEPANEL ConfigurationIdentification

PERS_SCOPE 1 (User)) Web Dynpro:Personalization

BCV_SPANEL(Execute Side Panel)

ACTVT 16 (Execute) Activity

Needed for displayinginformation on the side


Public


reserved.


panel

BCV_CTXKEY EHPRC_COMPL_DATA Context Key

BCV_USAGE(Business ContextViewer usage)

ACTVT US (Use) Activity


BCV_QRYVW(Query View)




BCV_QRYVID ID of Query View

BCV_QUERY(Query)




BCV_QRY_ID Query ID

BCV_QUILST(Overview)




BCV_QUIKID ID of Overview

5.5 Critical Combinations

The EHFND_WFT authorization object activates buttons in the BI dashboard Process Dashboard that start anobject-based navigation to the workflow tools. The navigation targets are only delivered with the standard roleSAP_EHSM_PROCESS_ADMIN. In consequence, this authorization shall not be assigned to any users apart fromthose who are assigned the SAP_EHS_PROCESS_ADMIN role.

5.6 Portal Permissions

The SAP EHS Management portal users require at least end user read authorization on the following folder in thePortal Content Directory and its subfolders:

38



Business Objects EHS-Management

Portal Content Content Provided by SAP specialist EHS Management

Portal Content Sandbox EHS Management Role Upload

For more details see the topic “Roles” under https://help.sap.com/ehs Component Extension for SAP EHSManagement Component Extension 5.0 for SAP EHS Management Application Help Foundation for EHSManagement Roles

5.7 Creating Custom Roles

The SAP EHS Management roles that are delivered contain specific configuration such as object-based navigation(OBN). In consequence, customizing these roles has a certain level of complexity. Custom roles can easily becreated as follows without losing their specific configuration:

1. Create your custom PFCG role.

2. Copy the menu structure from the SAP_EHSM_MASTER role or the others that are delivered.

3. Generate the authorization profile.

4. Assign the custom role to end users.

For custom portal roles, the following additional steps are required. Either the custom role is uploaded to theportal by using the Role Upload Tool, or a custom portal role is created directly in the portal as follows:

For custom roles created from the SAP_EHSM_MASTER role:

1. Create the custom portal role as a new portal role.

2. Add the “SAP_EHSM_MASTER” work set as a delta link.

3. Remove all delta links to those services which should not be part of the custom portal role.

4. Assign the custom portal role to end users.

https://help.sap.com/ehs

SAP Environment, Health, and Safety ManagementSession Security ProtectionPublicPublic

Public


reserved.

6 Session Security Protection

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommendactivating secure session management.

We also highly recommend using SSL to protect the network communications where these security-relevantcookies are transferred.

6.1 Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and to activate the sessionsecurity for the client(s) using the transaction SICF_SESSIONS.

For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTPSecurity Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.

6.2 Session Security Protection on the AS Java

On the AS Java, set the HTTP Provider properties as described in Session Security Protection [SAP Library].

40


SAP Environment, Health, and Safety ManagementNetwork and Communication Security

7 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support thecommunication necessary for your business needs without allowing unauthorized access. A well-defined networktopology can eliminate many security threats based on software flaws (at both the operating system level andapplication level) or network attacks such as eavesdropping. If users cannot log on to your application or databaseservers at the operating system or database layer, then there is no way for intruders to compromise the machinesand gain access to the backend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holes in network services onthe server machines.

The network topology for SAP EHS Management is based on the topology used by the SAP NetWeaver platform.Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide alsoapply to SAP EHS Management. Details that specifically apply to SAP EHS Management are described in thefollowing topics:

Communication Channel Security []

This topic describes the communication paths and protocols used by SAP EHS Management.

Network Security [Page 42]

This topic describes the recommended network topology for SAP EHS Management. It shows the appropriatenetwork segments for the various client and server components and where to use firewalls for accessprotection. It also includes a list of the ports needed to operate the <scenario, component, application>.

Communication Destinations [Page 43]

This topic describes the information needed for the various communication paths, for example, which usersare used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

Network and Communication Security [SAP Library]

Security Guides for Connectivity and Interoperability Technologies [SAP Library]

7.1 Communication Channel Security

The table below shows the communication channels used by SAP EHS Management the protocol used for theconnection and the type of data transferred.

Communication Path Protocol Used Type of Data Transferred Data Requiring SpecialProtection

NetWeaver Business Client toSAP EHS Managementapplication server

RFC PFCG Roles including theirmenu structure

NetWeaver Business Client toSAP EHS Managementapplication server

HTTPS User Interfaces in Web DynproABAP, POWL, ReportLaunchpad

https://help.sap.com/


SAP Environment, Health, and Safety ManagementNetwork and Communication SecurityPublicPublic

Public


reserved.

Communication Path Protocol Used Type of Data Transferred Data Requiring SpecialProtection

Web Browser to SAP EHSManagement application server

HTTPS User Interfaces in Web DynproABAP, POWL, ReportLaunchpad

Web Browser to SAP EHSManagement application serverif SAP GUI for HTML is used

HTTPS Transactions of SAP EHSManagement Workflow Tools

Frontend client using SAP GUIfor Windows in NetWeaverBusiness Client or Portal toSAP EHS Managementapplication server

DIAG Transactions of SAP EHSManagement Workflow Tools

NetWeaver Business Client toBI System

HTTPS BI queries

Web Browser to BI System HTTPS BI queries

Adobe Flash Player to BIsystem

HTTPS BI dashboards

Forms Processing uses AdobeDocument Service

HTTPS to AdobeDocumentService

XML content of the forms Standard ADS setuprequired

E-mail Inbound Handling SMTP Inbound e-mail with interactiveform as attachment

Standard setup forinbound e-mail

E-mail Outbound Processing(Standard BusinessCommunication Service [BCS]used)

Outbound e-mail withinteractive form as attachment

Standard setup forBCS

RFC Connection to IMDSSystem

RFC IMDS Data, MDS Files, RequestFiles, result Files

SAP Product StewardshipNetwork – integration of an ondemand solution for productcompliance

Web ServiceConsumptionbased on SOAP

Compliance data from SAPProduct Stewardship Network

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connectionsare protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web servicessecurity.

Recommendation

We strongly recommend using secure protocols (SSL, SNC) whenever possible.

42


SAP Environment, Health, and Safety ManagementNetwork and Communication Security

Caution1. We recommend using the same protocol – either HTTP or HTTPS – consistently in all communication

channels. This means all the deployed objects have to be configured in exactly the same wayregarding HTTP(S) throughout. This is done especially to avoid problems caused by JavaScript-based communication between the single layers.

2. We strongly recommend using the protocol HTTPS instead of HTTP on the communication channelsto protect the transferred data against unauthorized access.

3. We strongly recommend activating Secure Network Communication (SNC) for the non-HTTPcommunication channels to protect the transferred data against unauthorized access.

For more information, see Transport Layer Security at Help.SAP.com and Web Services Security at Help.SAP.comin the SAP NetWeaver Security Guide.

7.1.1 Secure Offline Communication with SAP Interactive Formsby Adobe

The inquiry forms used in incident management can contain sensitive and confidential data. These forms are sentvia e-mail, for example, to an external party (such as a doctor or expert) that is unknown within the system andhas no system account. To protect this data from unauthorized users, encryption becomes necessary. The datato be encrypted is the e-mail text, the PDF data, or both.

If you do not already use an encryption function, you can configure SAPconnect to send e-mails via a secure e-mail gateway application that is capable of encrypting outbound and inbound e-mails. For more information, seeSAP Help Portal for SAP NetWeaver under SAP NetWeaver 7.0 (2004s) SAP NetWeaver LibraryAdministrator’s Guide Technical Operations Manual for SAP NetWeaver Administration of SAP NetWeaverSystems AS ABAP (Application Server for ABAP) Administration SAPconnect Communication Interface.Note that in SAPconnect Communication Interface under More Information, you can find general informationabout SAPconnect.

SAP EHS Management is not delivered with third-party components.

7.2 Network Security

SAP EHS Management is designed to run in the LAN network segment by default. Running SAP EHS Managementin multiple network segments is supported with the options provided by SAP NetWeaver AS ABAP and SAPNetWeaver AS Java.

SAP EHS Management strictly uses the default services and ports of SAP NetWeaver AS ABAP and SAPNetWeaver AS Java for the communication channels. For more information about the services and ports used bySAP NetWeaver, see Network Services [SAP Library] in the SAP NetWeaver Security Guide.

SAP EHS Management requires the Adobe Document Service (ADS) and e-mail processing. There are no furtherrequirements for the default setup.



SAP Environment, Health, and Safety ManagementNetwork and Communication SecurityPublicPublic

Public


reserved.

7.3 Ports

SAP EHS Management runs on SAP NetWeaver and uses the ports from the AS ABAP or AS Java. For moreinformation, see the topics for AS ABAP Ports [SAP Library] and AS Java Ports [SAP Library] in thecorresponding SAP NetWeaver Security Guides. For other components, for example, SAPinst, SAProuter, or theSAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which is located on SAPDeveloper Network at http://scn.sap.com/community/security under Infrastructure Security Network andCommunications Security.

7.4 Communication Destinations

The table below shows an overview of the communication destinations used by SAP EHS Management.

Connection Destinations

Destination Delivered Type User, Authorizations Description

<HR system> No RFC HR authorizations of all standardSAP EHS Management user roles

Connection to HR client

<PM system> No RFC PM authorizations of all standardSAP EHS Management user roles

Connection to PM client

<CS system> No RFC CS authorizations of all standardSAP EHS Management user roles

Connection to CS client

<QM system> No RFC QM authorizations of all standardSAP EHS Management user roles

Connection to QM client

<BuPa system> No RFC BuPa authorizations of all standardSAP EHS Management user roles

Connection to businesspartner client

<AC system> No RFC AC authorizations of all standardSAP EHS Management user roles

Connection to AC client

<GRC system> No RFC SAP EHS Management does notprovide GRC authorizations

Connection to GRCclient

<MOC system> No RFC

(3, H)

SAP EHS Management does notprovide MOC authorizations

Connection to MOCclient

(ABAP/3- and HTTP/H-Connection)

For more information about GRC authorizations, see the SAP BusinessObjects Governance, Risk, and Compliance(GRC) Security Guide.

For detailed information about communication destinations, see Customizing for SAP EHS Management underFoundation for EHS Management Integration Specify Destinations for Integration.

For communication details, see also the SAP Interactive Forms Solution Security Guides and the standard setupof SAP Business Workflow.




44


SAP Environment, Health, and Safety ManagementData Storage Security

8 Data Storage Security

SAP EHS Management does not store any data itself beyond the data that is stored by the infrastructure used onSAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java.

The data storage security of SAP NetWeaver and components installed on that base is described in the SAPNetWeaver 7.0 Security Guide.

All business data in SAP EHS Management is stored in the system database. This business data is protected bythe authorization concept of SAP NetWeaver and SAP EHS Management. In some special cases, business-relevant data is stored in another location such as a file system. The special cases are listed below:

Whitelists

Depending on the technology you are using, you may encounter security issues when trying to display links thatare not explicitly added to the whitelist. For more information about defining whitelist entries, see the SAPNetWeaver documentation at help.sap.com SAP NetWeaver Business Client 7 Security Aspects 7.8Whitelist.

XML-Export Interface for Non-BW Analytics

The XML-Export Interface for non-BW Analytics exports XML data to the application server on the following logicaldirectory/file name:

Component Logical Directory/File Name

Incident Management EHHSS_BO_XML_EXPORT_PATH / EHHSS_INCIDENTS_XML

You can set the physical location using transaction FILE. The exported XML file can be downloaded from theapplication server. The directories used for the export on the application server and for the file download need tobe protected against unauthorized third-party access, since the export file may contain person-related orotherwise confidential information.

Knowledge Management

SAP EHS Management uses standard SAP NetWeaver (NetWeaver) technology for uploading and downloadingdocuments (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). Thesedocuments are checked into the defined storage system (content repository) using the Knowledge Provider(KPro).

For more information about security with regards to Knowledge Management, see on the SAP ServiceMarketplace service.sap.com/securityguide SAP Knowledge Management Security Guides.

8.1 Person-Related Information

8.1.1 Summary of Tables Containing Person-Related Data

The report RSCRDOMA summarizes the tables containing person-related data. The following data elementsshould be used as input for the report.


https://service.sap.com/securityguide

SAP Environment, Health, and Safety ManagementData Storage SecurityPublicPublic

Public


reserved.

Data Element Name Short Text

EHHSS_ABS_FROM_PROXY Absence Read From Proxy

EHHSS_ABS_HR_MASTER_DATA_IND Lock Indicator for HR Master Data Absence Record

EHHSS_ABS_INFOTYP_SAME_VAL_IND Absence Infotype Record with Same Key Value

EHHSS_ABS_LOST_SHIFT_MEAS Shifts Lost During Absence

EHHSS_ABS_OBJECT_ID Absence Object ID

EHHSS_ABS_TYPE_CODE Absence Type

EHHSS_BODY_PART_CODE Injured Body Part

EHHSS_BODY_SIDE_CODE Injured Body Side

EHHSS_DEATH_CAU_TYPE_CODE Cause of Death

EHHSS_DEATH_LOC_TYPE_CODE Location of Death

EHHSS_DEATH_TIME_ZONE Time Zone of Death

EHHSS_DUTY_REST_CAL_DAY_MEAS Actual Calendar Days of Restricted Duty

EHHSS_DUTY_REST_END_DATE Actual End Date of Restricted Duty

EHHSS_DUTY_REST_END_EST_DATE Estimated End Date of Restricted Duty

EHHSS_DUTY_REST_JOB_TRANSF_IND Job Transfer

EHHSS_DUTY_REST_PERMANENT_IND Permanent Restricted Duty

EHHSS_DUTY_REST_START_DATE Start Date of Restricted Duty

EHHSS_DUTY_REST_SUBTYPE_CODE Restricted Duty Type

EHHSS_DUTY_REST_TYPE_CODE Category of Restricted Duty

EHHSS_DUTY_REST_WORK_DAY_MEAS Actual Workdays of Restricted Duty

EHHSS_EMERGENCY_ROOM_TS Emergency Room Treatment

EHHSS_FATALITY_TS Fatal Injury / Illness

EHHSS_HRA_PERS_EMAIL E-Mail Address of Human Resources Administrator

EHHSS_INJ_ILL_MAIN_TS Main Injury / Illness

EHHSS_INJ_ILL_PREVIOUS_TS Previous Injury / Illness

EHHSS_INJ_ILL_REGULATOR_REP_TS Reporting of Injury / Illness Required

EHHSS_INPATIENT_24H_TS Inpatient Treatment (More Than 24 Hrs)

EHHSS_INPATIENT_TS Inpatient Treatment Overnight

EHHSS_ORG_DUR_MEAS Duration at Organization

EHHSS_ORG_DUR_UNIT_CODE Unit of Duration at Organization

EHHSS_PER_INJ_EXT_CASE_ID External Case Number

46


SAP Environment, Health, and Safety ManagementData Storage Security


EHHSS_PER_INJ_INJ_ORG_PROP_TS Injured on Company's Site

EHHSS_PER_INJ_ON_DUTY_TS Person Injured on Duty

EHHSS_PER_INV_ADDR Address of Involved Person

EHHSS_PER_INV_COMP_DESC Company Description of Involved Person

EHHSS_PER_INV_COMP_ORG_UNIT Organizational Unit of Involved Person

EHHSS_PER_INV_EMAIL E-Mail Address of Involved Person

EHHSS_PER_INV_FIRST_NAME First Name of Involved Person

EHHSS_PER_INV_ID Involved Person

EHHSS_PER_INV_LAST_NAME Last Name of Involved Person

EHHSS_PER_INV_NAME Name of Involved Person

EHHSS_PER_INV_POSITION_DESC Description of Involved Person's Position

EHHSS_PER_INV_TELEPHONE_NUMBER Telephone Number of Involved Person

EHHSS_PER_ROLE_CODE Role of Involved Person

EHHSS_PERSONNEL_NUMBER Personnel Number

EHHSS_RESDU_CON_PAY_END_DATE End Date of Absence Continued Payment

EHHSS_RESDU_END_TIME End Time of Absence or Restriction

EHHSS_RESDU_END_TIME_ZONE Time Zone of Absence or Restriction End

EHHSS_RESDU_START_TIME Start Time of Absence or Restriction

EHHSS_RESDU_START_TIME_ZONE Time Zone of Absence or Job Restriction Start

EHHSS_RESUSCITATION_TS Immediate Resuscitation Performed

EHHSS_STANDARD_JOB_TS Performed Regular Job

EHHSS_TI_PO_DUR_MEAS Duration in Position

EHHSS_TI_PO_DUR_UNIT_CODE Unit of Duration in Position

EHHSS_TIDAT_ORG_START_DATE Start Date of Work at Organization

EHHSS_TIDAT_POS_START_DATE Start Date of Work at Current Position

EHHSS_TIDAT_WOC_START_DATE Start Date of Work at Current Work Center

EHHSS_TRAN_FIRST_AID_CODE Transportation to First Aid

EHHSS_TRAN_FURTHER_CODE Transportation to Further Treatment

EHHSS_TREAT_BEYOND_FI_AID_TS Treatment Beyond First Aid

EHHSS_UNCONSCIOUS_TS Unconsciousness

EHHSS_WO_ACTUAL_END_TIME End of Actual Working Time

SAP Environment, Health, and Safety ManagementData Storage SecurityPublicPublic

Public


reserved.


EHHSS_WO_ACTUAL_START_TIME Start of Actual Working Time

EHHSS_WO_CE_DUR_MEAS Duration at Work Center

EHHSS_WO_CE_DUR_UNIT_CODE Unit of Duration at Work Center

EHHSS_WO_CEASED_TIME_ZONE Time Zone of Ceased Work

8.1.2 Logging Access to Person-Related Data

If you record incidents involving illnesses or injuries, you enter personal health data into the system. Since thisinformation is potentially sensitive and access to this information is in some cases legally regulated (for example,by the legal requirement Ley Orgánicade de protección de Datos in Spain), your organization can log informationabout when the data was accessed and by whom. For more information about logging access to person-relateddata, see the SAP Note 1576799.

http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1576799&_NLANG=en&_NVERS=0

48


SAP Environment, Health, and Safety ManagementSecurity for Additional Applications

9 Security for Additional Applications

For security information about Adobe Flash Player used by the BI dashboards, refer to the SAP NetWeaverBusiness Warehouse Security Guide.

For security information about the Embedded Search used by SAP EHS Management, refer to the SAP NetWeaverEnterprise Search 7.2.Security Guide.

SAP Environment, Health, and Safety ManagementDispensable Functions with Impacts on SecurityPublicPublic

Public


reserved.

10 Dispensable Functions with Impacts onSecurity

SAP EHS Management can be integrated with HR Time Management in Customizing. If the personnel timemanagement (PT) integration is activated, time data (including absences) from HR is displayed in the incident. Anadditional option is available to directly create HR Absences from the incident. For all actions (such as read orcreate), HR authorizations are checked.

50


SAP Environment, Health, and Safety ManagementOther Security-Relevant Information

11 Other Security-Relevant Information

11.1 SAP NetWeaver Business Client as User Front End

For more information about SAP NetWeaver Business Client (SAP NWBC) with PFCG connection, see the SAPNetWeaver documentation on SAP Help Portal at http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0(2004s) SAP NetWeaver 7.0 Library (Including Enhancement Package 2) SAP NetWeaver Library SAPNetWeaver by Key Capability Application Platform by Key Capability ABAP Technology SAP NetWeaverBusiness Client Security Aspects.

11.2 Documents (including Virus Scanner)

SAP EHS Management uses standard SAP NetWeaver (NetWeaver) technology for uploading and downloadingdocuments (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). Thesedocuments are checked into the defined storage system (content repository) using the Knowledge Provider(KPro).

Using the standard NetWeaver technology, you can use the standard NetWeaver virus scan interface (VSI) tocheck documents (including attachments) for viruses. To do this, you must have installed and configured a virusscanner. It is highly recommended that you integrate a virus scanner. For more information, see SAP Help Portalat http://help.sap.com NetWeaver <Release> SAP NetWeaver Library SAP NetWeaver by KeyCapability Security SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According toUsage Types SAP NetWeaver Application Server ABAP Security Guide Security Issues for Web Dynpro ABAP

Virus Scan Interface.

For more information about security with regards to Knowledge Management, see SAP Service Marketplace atservice.sap.com/securityguide SAP Knowledge Management Security Guides.

11.3 Forms and E-Mails Containing Java Script

The Interactive forms of SAP EHS Management can contain Java Script. Therefore, Java Script must be enabledin Adobe Acrobat Reader.

In addition, e-mails with PDF attachments that contain Java Script must not be filtered out in the e-mail inboundand outbound process.

SAP Environment, Health, and Safety ManagementSecurity-Relevant Logging and TracingPublicPublic

Public


reserved.

12 Security-Relevant Logging and Tracing

SAP EHS Management uses all logging and tracing functionality provided by the SAP NetWeaver AS ABAP and ASJava. Refer to the NetWeaver Security Audit and Logging documentation at http://help.sap.com SAPNetWeaver SAP NetWeaver 7.0 (2004s) SAP NetWeaver 7.0 Library (Including Enhancement Package 2) SAP NetWeaver Library Administrator’s Guide SAP NetWeaver Security Guide Auditing and Logging.

The inbound e-mail process logs the data in the application log. For more information about the object andsubobject, see Customizing for SAP EHS Management under Incident Management Print Forms and InteractiveForms Define Inbound Processing for E-Mails.

For more information about the logging of health data, see 8.1.2

52


SAP Environment, Health, and Safety ManagementServices for Security Lifecycle Management

13 Services for Security LifecycleManagement

The following services are available from Active Global Support to assist you in maintaining security in your SAPsystems on an ongoing basis.

13.1 Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:

Whether SAP Security Notes have been identified as missing on your system.

In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAPNotes, the report should be able to help you decide on how to handle the individual cases.

Whether an accumulation of critical basis authorizations has been identified.

In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,correct the situation. If you consider the situation okay, you should still check for any significant changescompared to former EWA reports.

Whether standard users with default passwords have been identified on your system.

In this case, change the corresponding passwords to non-default values.

13.2 Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including:

Critical authorizations in detail

Security-relevant configuration parameters

Critical users

Missing security patches

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-siteservice. We recommend you use it regularly (for example, once a year) and in particular after significant systemchanges or in preparation for a system audit.

13.3 Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliancewith predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers

SAP Environment, Health, and Safety ManagementServices for Security Lifecycle ManagementPublicPublic

Public


reserved.

configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gatewayconfiguration or making sure standard users do not have default passwords.

13.4 Security in the RunSAP Methodology / Secure OperationsStandard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on howto operate SAP systems and landscapes in a secure manner. It guides you through the most important securityoperation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

13.5 More Information

For more information about these services, see:

EarlyWatch Alert: http://service.sap.com/ewa

Security Optimization Service / Security Notes Report: http://service.sap.com/sos

Comprehensive list of Security Notes: http://service.sap.com/securitynotes

Configuration Validation: http://service.sap.com/changecontrol

RunSAP Roadmap, including the Security and the Secure Operations Standard:http://service.sap.com/runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)

http://service.sap.com/ewa

http://service.sap.com/sos


http://service.sap.com/changecontrol

http://service.sap.com/runsap

www.sap.com/contactsap

Copyright

© 2014 SAP SE or an SAP affiliate company.All rights reserved.

No part of this publication may bereproduced or transmitted in any form or forany purpose without the express permissionof SAP SE. The information contained hereinmay be changed without prior notice.

Some software products marketed by SAPSE and its distributors contain proprietarysoftware components of other softwarevendors.

National product specifications may vary.

These materials are provided by SAP SE andits affiliated companies (“SAP Group”) forinformational purposes only, withoutrepresentation or warranty of any kind, andSAP Group shall not be liable for errors oromissions with respect to the materials. Theonly warranties for SAP Group products andservices are those that are set forth in theexpress warranty statements accompanyingsuch products and services, if any. Nothingherein should be construed as constitutingan additional warranty.

SAP and other SAP products and servicesmentioned herein as well as their respectivelogos are trademarks or registeredtrademarks of SAP SE in Germany and othercountries. Please seewww.sap.com/corporate-en/legal/copyright/index.epx#trademark foradditional trademark information andnotices.

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark