sap environment, health, and safety management
TRANSCRIPT
Security GuideSAP Environment, Health, and Safety ManagementDocument Version: 1.2 – 2014-10-01
PUBLIC
SAP Environment, Health, and Safety ManagementComponent Extension 5.0 for SAP EHS Management
2
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementDocument History
Document History
Disclaimer
SAP – Important Disclaimers
SAP Library document classification: PUBLIC
This document is for informational purposes only. Its content is subject to change without notice, and SAP doesnot warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OFMERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples andare not intended to be used in a productive system environment. The Code is only intended to better explain and
Version Date Change
1.0 2014-05-12 First published version
1.1 2014-08-28 Adapted to release restrictions
1.2 2014-10-1 Changes for feature package 1:
- Chapter 5.3.1.2: Following roles added:
-- SAP_EHSM_HSS_HSMGRCORP
-- SAP_EHSM_HSS_SMPLTECH
- Chapter 5.4: Following authorization objects with following values added:
-- S_PB_CHIP
--- X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_ALOC_VB_CHIP
--- X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_APPR_LOC_CHIP
--- X-SAP-WDY-CHIP: EHFND_UI_CHM_SAFETY_INSTR_CHIP
--- X-SAP-WDY-CHIP:EHHSSUCWCHP_SPLCP
--- X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP_HEATMAP
--- X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLPH
-- S_PB_PAGE
--- EHHSS_HSMGRCORP_HOMEPAGE
--- EHHSS_SMPLTECH_HOMEPAGE
- Chapter 5.4.1.3: Following authorization objects changed or added:
-- EHHSS_CHA renamed to EHFND_CHA
-- EHFND_SPL (Sample Management) and EHFND_SPLM (Sampling Method)added
SAP Environment, Health, and Safety ManagementDocument History
Public© 2014 SAP SE or an SAP affiliate company. All
rights reserved. 3
visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completenessof the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code,except if such damages were caused by SAP intentionally or grossly negligent.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hintwhere to find supplementary documentation. SAP does not warrant the availability and correctness of suchsupplementary documentation or the ability to serve for a particular purpose. SAP shall not be liable for anydamages caused by the use of such documentation unless such damages have been caused by SAP's grossnegligence or willful misconduct
Accessibility
The information contained in the SAP Library documentation represents SAP's current view of accessibilitycriteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensureaccessibility of software products. SAP specifically disclaims any liability with respect to this document and nocontractual obligations or commitments are formed either directly or indirectly by this document
4
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementTable of Contents
Table of Contents
1 Introduction.............................................................................................................................................. 61.1 Target Audience .......................................................................................................................................................61.2 Why is Security Necessary? .................................................................................................................................... 71.3 About this Document ............................................................................................................................................... 71.4 Overview of the Main Sections................................................................................................................................ 7
2 Before You Start .................................................................................................................................... 102.1 Fundamental Security Guides .............................................................................................................................. 102.2 Fundamental Security Guides .............................................................................................................................. 102.3 Important SAP Notes............................................................................................................................................. 10
3 Technical System Landscape ................................................................................................................ 12
4 User Administration and Authentication .............................................................................................. 144.1 User Management ................................................................................................................................................. 14
4.1.1 User Administration and User Management Tools ............................................................................ 144.1.2 User Types ............................................................................................................................................. 154.1.3 Standard Users ...................................................................................................................................... 15
4.2 User Data Synchronization ................................................................................................................................... 174.3 Integration into Single Sign-On Environments .................................................................................................... 17
5 Authorizations ........................................................................................................................................ 185.1 Role and Authorization Concept for SAP EHS Management ............................................................................. 185.2 Authorizations for RFC Calls ................................................................................................................................. 185.3 Standard Roles ....................................................................................................................................................... 18
5.3.1 Scenario Health and Safety ................................................................................................................. 205.3.2 Scenario Product Compliance ............................................................................................................ 22
5.4 Standard Authorization Objects .......................................................................................................................... 245.4.1 Scenario Health and Safety ................................................................................................................. 285.4.2 Scenario Product Compliance ............................................................................................................ 35
5.5 Critical Combinations ............................................................................................................................................375.6 Portal Permissions .................................................................................................................................................375.7 Creating Custom Roles......................................................................................................................................... 38
6 Session Security Protection ..................................................................................................................396.1 Session Security Protection on the AS ABAP .................................................................................................... 396.2 Session Security Protection on the AS Java ...................................................................................................... 39
7 Network and Communication Security ................................................................................................ 407.1 Communication Channel Security ...................................................................................................................... 40
7.1.1 Secure Offline Communication with SAP Interactive Forms by Adobe .......................................... 427.2 Network Security .................................................................................................................................................. 427.3 Ports ....................................................................................................................................................................... 437.4 Communication Destinations .............................................................................................................................. 43
SAP Environment, Health, and Safety ManagementTable of Contents
Public© 2014 SAP SE or an SAP affiliate company. All
rights reserved. 5
8 Data Storage Security .......................................................................................................................... 448.1 Person-Related Information ................................................................................................................................ 44
8.1.1 Summary of Tables Containing Person-Related Data ...................................................................... 448.1.2 Logging Access to Person-Related Data .............................................................................................47
9 Security for Additional Applications ................................................................................................... 48
10 Dispensable Functions with Impacts on Security ............................................................................... 49
11 Other Security-Relevant Information .................................................................................................. 5011.1 SAP NetWeaver Business Client as User Front End .......................................................................................... 5011.2 Documents (including Virus Scanner) ................................................................................................................ 5011.3 Forms and E-Mails Containing Java Script ......................................................................................................... 50
12 Security-Relevant Logging and Tracing ............................................................................................... 51
13 Services for Security Lifecycle Management ....................................................................................... 5213.1 Security Chapter in the EarlyWatch Alert (EWA) Report .................................................................................. 5213.2 Security Optimization Service (SOS) .................................................................................................................. 5213.3 Security Configuration Validation ....................................................................................................................... 5213.4 Security in the RunSAP Methodology / Secure Operations Standard ............................................................ 5313.5 More Information .................................................................................................................................................. 53
6
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementIntroduction
1 Introduction
CautionThis guide does not replace the administration or operation guides that are available for productiveoperations.
1.1 Target Audience
Technology consultants
Security consultants
System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical OperationManuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereasthe Security Guides provide information that is relevant for all life cycle phases.
You can find the guides for SAP EHS Management as specified in the table below:
Overview of Guides for SAP EHS Management
Guide Definition Link
SAP EHS ManagementMaster Guide
The central starting point for the technicalimplementation of the SAP EHSManagement add-on. Get an overview ofSAP EHS Management, its software units,system landscapes, and find importantSAP Notes.
http://service.sap.com/instguides SAP Business Suite Applications SAP EHS Management
Component Extension for SAP EHSManagement Release 4.0
SAP EHS ManagementOperations Guide
Information for technical and solutionconsultants as well as support specialistsand system administrators aboutmanaging and maintaining your SAPapplications to run optimally.
SAP EHS ManagementSizing Guide
Information for system administrators,technical project managers, andconsultants about sizing, calculation ofhardware requirements, such as CPU, diskand memory resource.
SAP Environment, Health, and Safety ManagementIntroductionPublicPublic
Public
7© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
1.2 Why is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands onsecurity are also on the rise. When using a distributed system, you need to be sure that your data and processessupport your business needs without allowing unauthorized access to critical information. User errors,negligence, or attempted manipulation of your system should not result in loss of information or processing time.These demands on security apply likewise to component extension 4.0 for SAP Environment, Health, and SafetyManagement (SAP EHS Management). To assist you in securing SAP EHS Management, we provide this SecurityGuide.
Data protection is very important in the following examples:
In incident management, you have critical person-related information regarding absences or injuries.
In risk assessment, personal data about the risk assessment lead and the other persons involved in a riskassessment are displayed.
Component extension 4.0 for SAP EHS Management assumes that agreements for storage of personal data arecovered in individual work contracts. This also applies to notifications on initial data storage.
ExampleSeveral business processes within SAP EHS Management use SAP Business Workflow and e-mailinbound and outbound processing. It is not recommended that you grant the corresponding system users(such as WF_BATCH for Workflow System or SAPCONNECT for e-mail inbound processing) allauthorizations of the system (SAP_ALL). In addition, this document describes the required authorizationsand configuration for supporting business processes using SAP Business Workflow and the e-mailinbound and outbound scenario within the SAP EHS Management solution.
1.3 About this Document
The Security Guide provides an overview of the security-relevant information that applies to SAP EHSManagement.
1.4 Overview of the Main Sections
The Security Guide comprises the following main sections:
Before You Start
This section contains information about why security is necessary, how to use this document, and referencesto other Security Guides that build the foundation for this Security Guide.
Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by SAPEHS Management.
Security Aspects of Data, Data Flow and Processes
This section provides an overview of security aspects involved throughout the most widely-used processes withinSAP EHS Management.
8
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementIntroduction
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
o Recommended tools to use for user management
o User types that are required by SAP EHS Management
o Standard users that are delivered with SAP EHS Management
o Overview of the user synchronization strategy, if several components or products are involved
o Overview of how integration into Single Sign-On environments is possible
Authorizations
This section provides an overview of the authorization concept that applies to SAP EHS Management.
Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript orplug-ins from accessing the SAP logon ticket or security session cookie(s).
Network and Communication Security
This section provides an overview of the communication paths used by SAP EHS Management and thesecurity mechanisms that apply. It also includes our recommendations for the network topology to restrictaccess at the network level.
Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used bySAP EHS Management.
Application-Specific Virus Scan Profile (ABAP)
This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profilesare activated.
Data Storage Security
This section provides an overview of any critical data that is used by SAP EHS Management and the securitymechanisms that apply.
Data Protection
This section provides information about how SAP EHS Management protects personal or sensitive data.
Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are usedwith SAP EHS Management.
Dispensable Functions with Impacts on Security
This section provides an overview of functions that have impacts on security and can be disabled or removedfrom the system.
Enterprise Services Security
This section provides an overview of the security aspects that apply to the enterprise services delivered withSAP EHS Management.
Other Security-Relevant Information
This section contains information about:
o SAP NetWeaver Business Client as a user front end
o Interactive forms
o E-mails with PDF attachments
o Documents (including virus scanner)
SAP Environment, Health, and Safety ManagementIntroductionPublicPublic
Public
9© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information, forexample, so you can reproduce activities if a security breach does occur.
Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assistyou in maintaining security in your SAP systems on an ongoing basis.
Appendix
This section provides references to further information.
10
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementBefore You Start
2 Before You Start
2.1 Fundamental Security Guides
SAP EHS Management is built from the following components:
o SAP NetWeaver
o SAP Portal
o SAP BI
o SAP Embedded Search (SAP NetWeaver Enterprise Search)
o SAP BusinessObjects
o SAP Interactive Forms
Therefore, the corresponding Security Guides also apply to the SAP EHS Management. Pay particular attention tothe most relevant sections or specific restrictions as indicated in the table below.
2.2 Fundamental Security Guides
Scenario, Application or Component Security Guide
SAP NetWeaver 7.0 Security Guides (Complete)
SAP NetWeaver Business Client
SAP NetWeaver Portal Security Guides
SAP Basis / Web AS Security Guides
SAP Business Connector Security Guide
SAP NetWeaver Business Warehouse Security Guides
SAP BusinessObjects (formerly, SAP Business User)
SAP Interactive Forms solution Security Guides
SAP NetWeaver Enterprise Search 7.2.Security Guide
For a complete list of the available SAP Security Guides, see SAP Service Marketplace athttp://service.sap.com/securityguide.
2.3 Important SAP Notes
The most important SAP Notes that apply to the security of SAP EHS Management are shown in the table below.
SAP Environment, Health, and Safety ManagementBefore You StartPublicPublic
Public
11© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Title SAP Note Comment
128447 Trusted/Trusting Systems
510007 Setting up SSL on the WebApplication Server ABAP
517484 Inactive Services in the InternetCommunication Framework
1367252 SAP NetWeaver EnterpriseSearch 7.2: Security Guide.
1590784 EHSM: Necessary changes in theAttachment Folder Customizing
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace athttp://service.sap.com/securitynotes.
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on SAP Service Marketplace or SCN
Security http://scn.sap.com/community/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver
12
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementTechnical System Landscape
3 Technical System Landscape
The figure below shows an overview of the technical system landscape for SAP EHS Management.
For more information about the technical system landscape of SAP EHS Management, as well as integratedsystems, see the SAP EHS Management Master Guide at http://service.sap.com/instguides SAP BusinessSuite Applications SAP EHS Management Component Extension for SAP EHS Management Release 5.0.
Figure 1: 'Process Integration System Overview' depicts which functional modules are integrated into SAP EHSManagement processes and can reside on separate systems. The systems can be connected via RFC.
We assume that the central system for master data will provide the initial setup of Customizing and master datafor SAP EHS Management via Customizing transports and ALE replication (such as material master and plants).
Figure 1: Process Integration System Overview
For these RFC calls, we recommend you distribute the SAP EHS Management users to the other systems asneeded to read HR data, for example, and to enable Single Sign-On (SSO) for those users.
For more information about the technical system landscape, see the resources listed in the table below.
SAP Environment, Health, and Safety ManagementTechnical System LandscapePublicPublic
Public
13© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Topic Guide/Tool Quick Link on SAP Service Marketplace orSCN
Technical description for SAPEHS Management
and the underlying componentssuch as SAP NetWeaver
Master Guide http://service.sap.com/instguides
High availability See applicable documents http://scn.sap.com/docs/DOC-7848
Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140
Security See applicable documents http://scn.sap.com/community/security
14
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementUser Administration and Authentication
4 User Administration and Authentication
SAP EHS Management uses the user management and authentication mechanisms provided with the SAPNetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the securityrecommendations and guidelines for user administration and authentication as described in the SAP NetWeaverApplication Server ABAP Security Guide [SAP Library] and SAP NetWeaver Application Server Java SecurityGuide [SAP Library] also apply to SAP EHS Management.
In addition to these guidelines, we include information about user administration and authentication thatspecifically applies to SAP EHS Management in the following topics:
User Management [Page 14]
This topic lists the tools to use for user management, the types of users required, and the standard users thatare delivered with SAP EHS Management.
User Data Synchronization [Page 17]
SAP EHS Management shares user data with
o SAP EHS Management system
o Portal system
o BI system
o Other ERP systems (HR, PM, QM, and CS)
This topic describes how the user data is synchronized with these other sources.
Integration into Single Sign-On Environments [Page 17]
This topic describes how SAP EHS Management supports Single Sign-On mechanisms.
4.1 User Management
User management for SAP EHS Management uses the mechanisms provided with the SAP NetWeaverApplication Server ABAP and Java, for example, tools, user types, and password policies. For an overview of howthese mechanisms apply for SAP EHS Management, see the sections below. In addition, we provide a list of thestandard users required for operating SAP EHS Management.
4.1.1 User Administration and User Management Tools
The table below shows the tools to use for user management and user administration with SAP EHS Management.
Tool Detailed Description
User and role maintenance withSAP NetWeaver AS ABAP
For more information, see Users and Roles (BC-SEC-USR) atHelp.SAP.com.
SAP Environment, Health, and Safety ManagementUser Administration and AuthenticationPublicPublic
Public
15© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Tool Detailed Description
(transactions SU01 and PFCG)
User Management Engine withSAP NetWeaver AS Java
For more information, see User Management Engine at Help.SAP.com..
Central User Administration (CUA) Use the CUA to centrally maintain users for the various systems used bySAP EHS Management.
User Management Engine (UME)administration console
Use the Web-based UME administration console to maintain the portalrole assignments to the user of the SAP EHS Management.
Set user for Enterprise Searchdata extraction (reportESH_EX_SET_EXTRACTION_USER
Embedded Search extraction user and extraction roles have to be set upwith this report
Manage analysis authorizations(transaction RSECADMIN)
Provides all necessary tools to maintain analysis authorizations
4.1.2 User Types
It is often necessary to specify different security policies for different types of users. For example, your policy mayspecify that individual users who perform tasks interactively have to change their passwords on a regular basis,but not those users under which background processing jobs run.
The user types that are required for SAP EHS Management include:
Individual users:
o Dialog users are used for the dialog processing and for the RFC connection to the Adobe DocumentService (ADS), for example. (Used for SAP GUI for Windows or RFC connections.)
o Communication users are used for e-mail inbound processing (such as SAPCONNECT).
o Background users are used for Embedded Search extraction, BI extraction and the SAP BusinessWorkflow Engine (such as WF-BATCH).
For more information about these user types, see User Types at Help.SAP.com in the SAP NetWeaver AS ABAPSecurity Guide.
4.1.3 Standard Users
The table below shows the standard users that are necessary for operating SAP EHS Management.
Standard Users
System User ID Type Password Description
SAP EHSManagement ERPSystem
BusinessProcessingUser
Dialog User To be entered Business User of SAP EHSManagement
16
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementUser Administration and Authentication
System User ID Type Password Description
SAP EHSManagementPortal System
BusinessProcessingUser
Dialog User To be entered Business User of SAP EHSManagement mapped to theBusiness Processing User in SAPEHS Management ERP System
SAP EHSManagement BISystem
BusinessProcessingUser forReportingfunctionality
Dialog User To be entered Business User of SAP EHSManagement mapped to theBusiness Processing User in SAPEHS Management ERP System
SAP EHSManagement ERPSystem
E-mail InboundProcessinguser
Communicationuser
Not needed User to process the incoming e-mails of SAP EHS Management
SAP EHSManagement ERPSystem
BI ExtractorUser
Backgrounduser
Not needed User for the BI extraction of SAPEHS Management data
SAP EHSManagement ERPSystem
EmbeddedSearchExtractor User
Backgrounduser
Not needed User for the Embedded Searchextraction will be created via reportESH_EX_SET_
EXTRACTION_USER
SAP EHSManagement ERPSystem
WorkflowEngine batchuser
Backgrounduser
Not needed User for the backgroundprocessing of workflows in SAPEHS Management
SAP EHSManagement ERPSystem
PRC WorklistGenerationUser
Backgrounduser
Not needed User for the backgroundprocessing of product complianceworklists
SAP EHSManagement ERPSystem
PRCAutomatedChangeProcessingUser
Backgrounduser
Not needed User for the backgroundautomated processing ofcompliance data changes in theproduct compliance area
SAP EHSManagement ERPSystem
PRC SupplierChangeMonitor
Backgrounduser
Not needed User for the backgroundmonitoring of changes in supplierto material assignment
You need to create the users after the installation.
Recommendation
Users are not automatically created during installation. In consequence there is no requirement to changetheir user IDs and passwords after the installation.
SAP Environment, Health, and Safety ManagementUser Administration and AuthenticationPublicPublic
Public
17© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
4.2 User Data Synchronization
To avoid administrative effort, you can employ user data synchronization in your system landscape.
Since SAP EHS Management is based on SAP NetWeaver, all the mechanisms for user data synchronization ofSAP NetWeaver are available for SAP EHS Management.
4.3 Integration into Single Sign-On Environments
SAP EHS Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore,the security recommendations and guidelines for user administration and authentication as described in the SAPNetWeaver Security Guide at Help.SAP.com also apply to SAP EHS Management.
The most widely-used supported mechanisms are listed below:
Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when using the SAP GUI forWindows or Remote Function Calls.
SAP logon tickets
SAP EHS Management supports the use of logon tickets for SSO when using a Web browser as the front-endclient. In this case, users can be issued a logon ticket after they have authenticated themselves with the initialSAP system. The ticket can then be submitted to other systems (SAP or external systems) as anauthentication token. The user does not need to enter a user ID or password for authentication, but canaccess the system directly after the system has checked the logon ticket.
Client certificates
As an alternative to user authentication with a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authenticationis performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwordshave to be transferred. User authorizations are valid in accordance with the authorization concept in the SAPsystem.
For more information about the available authentication mechanisms, see User Authentication and Single Sign-On at Help.SAP.com in the SAP NetWeaver Library.
18
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
5 Authorizations
5.1 Role and Authorization Concept for SAP EHS Management
SAP EHS Management uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java.Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver ASSecurity Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP EHS Management.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For rolemaintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’suser administration console on the AS Java.
NoteFor more information about how to create roles, see Role Administration [SAP Library].
5.2 Authorizations for RFC Calls
In SAP EHS Management, multiple BAPIs and RFC-enabled function modules are used to create, update, and readthe data of other SAP applications from (optional) other ERP systems. Thus, the authorization for using theseBAPIs and function modules (via Web Dynpro, for example), should be restricted to users who are intended tohave these authorizations and corresponding access to the data. For more information about creating roles andthe authorization concept, see "AS ABAP Authorization Concept" in http://help.sap.com SAP NetWeaver 7.4.
5.3 Standard Roles
The table below shows the standard roles that are used by SAP EHS Management.
SAP EHS Management delivers simultaneous end user roles for the ERP system and the portal system tosynchronize the menu structures for end users, regardless of whether the user has decided to use a Web browseror NetWeaver Business Client (NWBC) as a front end.
Assigning the portal role to an end user does not add any authorizations to the user. You should also assign thecorresponding PFCG role to the user in the ERP system to add the authorizations.
The following standard roles support the processes of SAP EHS Management. Technically, the services of theseroles are of the following types: Web Dynpro ABAP, Power Object Worklist (POWL), Report Launchpad, BI queries,BI dashboards based on Adobe Flash Player and transactions. Unless shown in the table below, the roles aredelivered without authorization profiles. The authorization profiles are then generated from these roles.
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
19© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Standard Roles
Role Description
SAP_EHSM_MASTER Master PFCG role for all incident management, risk assessment andproduct safety and stewardship functionality. This role is intended foruse as a copy template for the menu structures of the end user rolesthat are currently assigned.
SAP_EHSM_PROCESS_ADMIM
Process Administrator
End user role for the person who is technically responsible for theworkflow-based processes of EHS Management. This role assigns themenu structure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal roleis opened via Object Based Navigation for processing the workflow item.
SAP_EHSM_HSS_BW_ANALYTICS
BI Content Analyst for HSS
End user role for the person who analyzes incidents and riskassessments, as well as the executed processes. This role contains thenavigation point Analytical Reports that includes the report launchpadfor the health and safety work area with access to all dashboards andqueries.
For this role, a SAP Business Warehouse (BW) system with BI Contentfor SAP EHS Management must be installed.
SAP_EHSM_FND_WF_BI_EXTR System user role for the extraction of BI data. This role contains theauthorization profiles needed to extract the workflow data for workflowreporting in BI.
SAP_EHSM_FND_WF_PERMISSION System user role for the Workflow Engine. This role contains theadditional authorization profiles needed to process the workflows in thebackground.
The users who process the workflows in the background should, inaddition to the SAP_EHSM_FND_WF_PERMISSION role, be assigned theSAP_BC_BMT_WFM_SERV_USER role.
For processing incident management workflows, the users should alsoreceive the same authorizations as theSAP_EHSM_HSS_INCIDENT_MANAGER role.
For processing risk assessment workflows, the users should also receivethe same authorizations as the SAP_EHSM_HSS_ENVMGR,SAP_EHSM_HSS_HYGIENIST, and SAP_EHSM_HSS_SAFEMGR.
For processing product compliance workflows, the users should alsoreceive the same authorizations as the rolesSAP_EHSM_PRC_COMPL_ENG, SAP_EHSM_PRC_COMPONENT_ENG,and SAP_EHSM_PRC_BASMAT_SPEC.
SAP_EHSM_HSS_EML_REC System user role for the e-mail recipient. This role contains theauthorization profiles needed to receive and process e-mails.
SAP_EHSM_FND_MIGRATION End user role for the migration. You use this role to access the LegacySystem Migration Workbench. Depending on the content you want tomigrate, you still need to configure and assign the corresponding
20
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Role Description
business role (including the profiles).
For example, to access the incident business object and migrate theincident content, you also need theSAP_EHSM_HSS_INCIDENT_MANAGER role assigned (along with thecorresponding profiles).
NoteRestrict Data Access in Analytical Reports
In order to restrict access to data for users who execute analytical reports (BI Content), proceed asfollows:
Flag the necessary InfoObjects as being authorization–relevant.
Adjust the queries.
Define the necessary analysis authorizations.
Assign the authorizations to users. For more information, see the Security Guide for SAP NetWeaver BI.
5.3.1 Scenario Health and Safety
5.3.1.1 Standard Roles for Managing Incidents
The roles under 6.4 and the roles in the table below are relevant for incident management.
Role PFCG/Portal Description
SAP_EHSM_HSS_INCIDENT_MANAGER /
Incident Manager
End user role for the incident manager. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal role isopened via object-based navigation for processing the workflow item.
SAP_EHSM_HSS_INCIDENT_REPORTER /
Incident Reporter
End user role for the incident reporter. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
SAP_EHSM_HSS_INCIDENT_NOTIFIED /
Incident Notified
End user role for a person who is notified during the processing of anincident. This role assigns the menu structure in NWBC and portal to theend user and the necessary authorizations in the ERP system.
This role can receive workflow items. These work items are displayedbased on the UWL configuration in the portal. An iView of the portal role isopened via object-based navigation for processing the workflow item.
SAP_EHSM_HSS_INCIDENT_ES System user role for the Embedded Search extraction. This role contains
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
21© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Role PFCG/Portal Description
H_EXTR the authorization profiles needed to extract the BO incident for theEmbedded Search.
SAP_EHSM_HSS_INCIDENT_BI_EXTR
System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the BO incident for incident reporting in BI.
5.3.1.2 Standard Roles for Managing EHS Risks
The roles under 6.4 and the roles in the table below are relevant for risk assessment.
Role PFCG/Portal Description
SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
SAP_EHSM_HSS_HYGIENIST End user role for the industrial hygienist. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
SAP_EHSM_HSS_SAFEMGR End user role for the safety manager. This role assigns the menu structurein NWBC and portal to the end user and the necessary authorizations in theERP system.
SAP_EHSM_HSS_LINEMGR End user role for the line manager. This role assigns the menu structure inNWBC and portal to the end user and the necessary authorizations in theERP system.
SAP_EHSM_HSS_RAS_BI_EXTR System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the risk assessment data for risk assessmentreporting in BI.
SAP_EHSM_HSS_HSMGRCORP End user role for the corporate health and safety manager. This roleassigns the menu structure in NWBC to the end user and the necessaryauthorizations in the ERP system.
SAP_EHSM_HSS_SMPLTECH End user role for the sampling technician. This role assigns the menustructure in NWBC to the end user and the necessary authorizations in theERP system.
5.3.1.3 Standard Roles for Managing Chemicals for Health andSafety Processes
The roles under 6.4 and the roles in the table below are relevant for Chemicals for Health and Safety Processes.
22
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Role PFCG/Portal Description
SAP_EHSM_HSS_HAZSUBMGR End user role for the hazardous substance manager. This role assigns themenu structure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_CHEMAPPR End user role for the chemical approver. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_SDSCLERK End user role for the safety datasheet clerk. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
For further details see role documentation.
SAP_EHSM_HSS_CHEMREQ End user role for the chemical requestor. This role assigns the menustructure in NWBC and portal to the end user and the necessaryauthorizations in the ERP system.
For further details see role documentation.
5.3.2 Scenario Product Compliance
5.3.2.1 Standard Roles for Managing Product Compliance
The roles under 6.4 and the roles in the table below are relevant for product compliance.
Role PFCG/Portal Description
SAP_EHSM_ADMINISTRATOR
Administrator
Administrator role for the person who monitors changes in master data forproduct compliance, compliance objects, and the application log. Thisperson also corrects data issues, enters data for customers and suppliers,and manually imports incoming documents either from the front-endsystem or from an application server.
SAP_EHSM_PRC_COMPL_CONSUMER
End user role for the compliance consumer. This role can be adapted foruse as four different sub-roles: purchasing agent, sales and servicesrepresentative, mechanical engineer, and electrical engineer. This user roleis responsible for maintaining awareness of regulations and compliancerequirements and, depending on the purpose, can be responsible formaintaining product knowledge and data, configuring customer orders,scheduling service requests, research, and evaluating product data, ordesigning, testing and analysis of components.
SAP_EHSM_PRC_COMPL_MGR End user role for the compliance manager. This user role monitorscompliance-related programs for product lines, and defines policies and
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
23© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Role PFCG/Portal Description
procedures for other departments to ensure compliance. The compliancemanager approves the manufacturing processes and equipment that willbe used in production, and supervises design compliance.
SAP_EHSM_PRC_COMPL_ENG End user role for the compliance engineer. This user role monitors dailyoperations that contribute to ensuring compliance. The complianceengineer is responsible for the company compliance data set. He or shemaintains compliance data in cooperation with the engineering teams, andcooperates with the compliance manager for up-to-date information aboutregulations. This role is involved in material-based and component-basedengineering changes and new product reviews.
SAP_EHSM_PRC_COMPONENT_ENG
End user role for the component engineer. This user role selects and workswith electrical or other components to be incorporated into futureproducts, and handles management and documentation of purchasedcomponents. The component engineer approves parts obtained externally,works closely with vendors, and ensures compliance by following theestablished procedures and policies.
SAP_EHSM_PRC_BASMAT_SPEC
End user role for the basic material specialist. This user role is responsiblefor the selection of appropriate materials and surfaces for design parts,and approves their release for use. The basic material specialist decidesthe specific application of materials and surfaces, and maintains thematerial database.
SAP_EHSM_PRC_BW_ANALYTICS
End user role for the person who analyzes product safety and stewardshipassessments, as well as the executed processes. This role contains thenavigation point Analytical Reports that includes the report launchpad forthe product safety and stewardship work area with access to alldashboards and queries.
For this role, a SAP Business Warehouse (BW) system with BI Content forSAP EHS Management must be installed.
SAP_EHSM_PRC_IMDS_BATCH IMDS Batch Job Processor
SAP_EHSM_PRC_AUTO_CHANGE_PROC
System user role for the automated change processing. This role containsthe authorization profiles needed to determine compliance informationthat is affected by a relevant change and executing the worklist of pendingcompliance information.
SAP_EHSM_PRC_REG_CHG_WLIST_PRO
System user role necessary for background processing of PRC RegulatoryChange Worklist Generation (programR_EHPRC_WL_REGCHG_GENERATE) and PRC Regulatory ChangeWorklist Post Processing (programR_EHPRC_WL_REGCHG_POST_PROC).
SAP_EHSM_PRC_SUPPL_CHNG_PROC
This role contains as a suggestion all relevant authorization data necessaryfor background processing of PRC Supplier Change Processing.
Supplier Change Monitor
24
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Role PFCG/Portal Description
The program R_EHPRC_PBB_SUPPL_CHNG_MON is executed inbackground processing in order to monitor changes in supplier to materialassignment and to start the workflow 'Decide and Prepare for Assessment'if necessary.
SAP_BCV_USER System user role for the display of Business Context Viewer (BCV). Thisrole contains the authorization profiles and menus needed to display a BCVside panel and the BCV configuration.
SAP_BCV_ADMIN System user role for the administration of Business Context Viewer (BCV).This role contains the authorization profiles and menus needed toadministrate the BCV configuration.
SAP_EHSM_PRC_BI_EXTR System user role for the BI extraction. This role contains the authorizationprofiles needed to extract the compliance data for Product andStewardship reporting in BI.
SAP_EHSM_PRC_EML_REC System user role for the e-mail recipient. This role contains theauthorization profiles needed to receive and process e-mails.
5.4 Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by SAP EHS Management.
Table 2 Standard Authorization Objects
Authorization Object Field Value Description
EHFND_CHDC (ChangeDocument)
ACTVT 03 (Display) Activity
BO_NAME EHFND_LOCATION (Location)
EHHSS_INCIDENT (Incident)
EHHSS_INCIDENT_ACTION (IncidentAction)
EHHSS_RISK_ASSESSMENT (RiskAssessment)
EHHSS_RAS_ACTION (Risk AssessmentAction)
EHHSS_RISK (Risk)
EHHSS_AGENT (Agent)
EHHSS_JOB (Job)
EHFND_DATA_AMOUNT (Amount)
EHFND_DATA_SERIES (Data Series)
EHFND_CHEMICAL (Chemical)
Business ObjectName
EHFND_LOC ACTVT 01 (Create or generate)02 (Change)
Activity
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
25© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Authorization Object Field Value Description
(Location) 03 (Display)06 (Delete)A3 (Change status)
LOCAUTHGRP LocationAuthorizationGroup
LOCBUSAREA Business Area
LOCCOMP Company Code
LOCCOST Cost Center
LOCPLANT Plant ID
LOCSTATUS 01 (New)02 (Active)03 (Inactive)04 (Historic)
Location Status
LOCTYPE Location Type
EHFND_DCTR
(Default Controls)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
S_PB_CHIP
(Chips for side panel)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)16 (Execute)
Activity
(03 and 16 areneeded fordisplaying theinformation in theside panel)
CHIP_NAME X-SAP-WDY-CHIP:EHFNDWDCHIP_LOC_STRUCT
X-SAP-WDY-CHIP:EHHSSWDCHIP_ASSWRKF_LOC_LIST
X-SAP-WDY-CHIP:EHHSSWDCHIP_INC_LOC_LIST
X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC_LIST
X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC
X-SAP-WDY-CHIP:EHHSSUCWCHP_ASSWRKF
X-SAP-WDY-CHIP:EHHSSUCWCHP_INC_LOC
X-SAP-WDY-CHIP:EHHSSUCWCHP_APPRCHEM
Web Dynpro ABAP:CHIP ID
26
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Authorization Object Field Value Description
X-SAP-WDY-CHIP:EHFNDUCWCHP_EASYWORKLIST
X-SAP-WDY-CHIP:EHFNDUCWCHP_LAUNCHPAD
X-SAP-WDY-CHIP:FND_UI_CHM_SAFETY_INSTR_CHIP
X-SAP-WDY-CHIP:BSSP_SW_FEEDS
X-SAP-WDY-CHIP:BSSP_SW_ACTIVITIES
X-SAP-WDY-CHIP:BSSP_NOTES
X-SAP-WDY-CHIP:EHFND_UI_CHM_OVP_ALOC_VB_CHIP
X-SAP-WDY-CHIP:EHFND_UI_CHM_OVP_APPR_LOC_CHIP
X-SAP-WDY-CHIP:EHFND_UI_CHM_SAFETY_INSTR_CHIP
X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP
X-SAP-WDY-CHIP:EHHSSUCWCHP_SPLCP_HEATMAP
X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLPH
S_PB_PAGE
(Configuration for sidepanel and home pages)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
CONFIG_ID EHFND_LOC_OIF_SIDE_PANEL
EHFND_CHM_SIDE_PANEL
EHHSS_HAZSUBMGR_HOMEPAGE
EHHSS_HYGIENIST_HOMEPAGE
EHHSS_INC_MANAGER _HOMEPAGE
EHHSS_HSMGRCORP_HOMEPAGE
EHHSS_SMPLTECH_HOMEPAGE
ConfigurationIdentification
PERS_SCOPE 0 (No Personalization1 (User))2 (View Handle)4 (All)5 (Configuration)
Web Dynpro:Personalization
EHFND_DTS
(Data Series)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
LOCAUTHGRP LocationAuthorization
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
27© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Authorization Object Field Value Description
Group
LOCBUSAREA Business Area
LOCCOMP Company Code
LOCPLANT Plant ID
LOCSTATUS 01 (New)02 (Active)03 (Inactive)04 (Historic)
Location Status
LOCTYPE Location Type
EHFND_WFT(Workflow Tools)
ACTVT 16 (Execute) Activity
TCD All transactions of workflow tools Transaction Code
EHFND_WFF (Workflowand Processes)
EHSM_COMP HSS (Health and Safety) Component of EHSManagement
PURPOSE Process Purpose (see Customizing activitySpecify Process Definitions)
Process Purpose
EHSM_PVAR Process Variant (see Customizing activitySpecify Process Definitions)
Name of ProcessVariant
EHSM_PCACT CANCELPROC (Cancel Process) Activity of Task orProcess
EHFND_EXPP
(Export Profile)
ACTVT 01 (Create, Generate) Activity
EHFND_EXPP Configured ExportProfile
EHFND_CHM(Chemical)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_REGL(Regulatory ListContent)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
The following table contains authorization objects that are relevant for SAP EHS Management if you integrate thesystem with other SAP components.
Table 1 Authorization Objects for Integration
Authorization Object General Settings Further Information
P_ORGIN
(HR: Master data)
Display authorizations are requiredfor specific infotypes.
See Customizing for SAP EHS Managementunder Foundation for EHS ManagementIntegration Human Resources Integration
Check Authorizations for Person
28
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Authorization Object General Settings Further Information
Information
P_ORGXX
(HR: Master data -extended check)
Activation of the check by thisauthorization object is required.P_ORGXX can be used in addition toor instead of the check by theauthorization object HR: MasterData.
P_APPL
(HR: Applicants)
Display authorizations are requiredfor specific infotypes.
B_BUPA_RLT
(Business partner: BProles)
Authorizations are required for thefollowing BP roles:
CBIH10 - External person
HEA010 - Physician
HEA030 - Health center (hospital)
B_BUPA_FDG
(Business partner: fieldgroups)
Special authorization check forindividual field groups in thebusiness partner dialog box.
5.4.1 Scenario Health and Safety
5.4.1.1 Authorization Objects for Managing Incidents
The authorization objects under 6.4 and the authorization objects in the table below are relevant for incidentmanagement.
Table 2 Authorization Objects for Incident Management
AuthorizationObject
Field Value Description
EHHSS_INC1(Incident)
ACCESS_LEV 000 (Basic Information /Standard Data)001 (Person InvolvedAccess)002 (Injury / IllnessAccess)003 (Confidential Access)004 (Date of Birth Access)
Incident Access Level
For more information about creatingand assigning access levels to tabs,see the Customizing activities underSAP EHS Management IncidentManagement General Information
Create Incident Access Levels
Assign Access Levels to Tabs
ACTVT 01 (Create or generate)02 (Change)03 (Display)
Activity
Note that activity Reopen has been
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
29© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
AuthorizationObject
Field Value Description
06 (Delete)C5 (Reopen)
added with version 2.0. If you havealready used this authorizationobject in version 1.0, you may wantto update your roles with thisadditional activity.
INC_CATEG 001 (Incident)002 (Near Miss)003 (Safety Observation)
Incident Category
INC_STATUS ' '00 (Void)01 (New)02 (In Progress)03 (Closed)
04 (Re-opened)
Incident Record Status
ORGUNIT_ID Organizational Unit ID
PLANT_ID Plant ID
EHHSS_INC2(IncidentReport)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
FORM_NAME All forms for reporting Form Name
ORGUNIT_ID Organizational Unit ID
PLANT_ID Plant ID
EHHSS_INC3(IncidentGroup)
ACTVT 02 (Change)
03 (Display)
06 (Delete)
Activity
NM_GROUP EHHSS_NMG_UNS_ACTION(Unsafe action)
EHHSS_NMG_UNS_COND (Unsafecondition)
EHHSS_NMG_UNS_EQU (Unsafeequipment)
EHHSS_NMG_UNS_USE_EQU(Unsafe use of equipment)
Near Miss Group
SO_GROUP EHHSS_SOG_DOC_PROC_NF(Documented procedure notfollowed)
EHHSS_SOG_FAIL_USE_PE(Failure to use personal protective
Safety Observation Group
30
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
AuthorizationObject
Field Value Description
equipment)
EHHSS_SOG_HORSEPLAY(Horseplay)
EHHSS_SOG_UNS_LIF_CAR(Unsafe lifting or carrying)
EHHSS_SOG_UNS_USE_ETV(Unsafe use of equipment, tool orvehicle)
EHHSS_SOG_UNS_USE_MAT(Unsafe use of material)
EHHSS_SOG_USE_DEF_ETV (Useof defective equipment, tool orvehicle)
EHHSS_SOG_USE_DEF_MAT (Useof defective material)
INC_GROUP EHHSS_IGR_NOT_OF_VIOL(Notice of violation)
EHHSS_IGR_OCC_INC(Injury/illness)
EHHSS_IGR_RELEASE (Release)
Incident Group
INC_NO_GRP 1 (Incident)
2 (Near miss)
3 (Safety observation)
Incident Category
EHHSS_INC5(Incident byLocation)
ACTVT 01 (Create or generate)
02 (Change)
03 (Display)
06 (Delete)
Activity
LOCTYPE Business Unit
Equipment
Production Unit
Site
Work Center
Location Type
LOCSTATUS 01 (New)
02 (Active)
03 (Inactive)
04 (Historic)
Location Status
LOCAUTHGRP Unrestricted Access Location Authorization Group
LOCPLANT Plant ID
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
31© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
AuthorizationObject
Field Value Description
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
LOCCOUNTRY Country
LOCREGION Region
EHHSS_CLR(Allowance toChange Limitsfor AnalyticReports)
ACTVT 16 (Execute) The execute authorization isrequired to be able to maintain limitsfor analytical reporting. Only thoseusers who have this authorizationhave an entry in the reportlaunchpad that allows users tomaintain the limits.
S_TABU_DIS DICBERCL EHMI (Incident)EHMF (Foundation)
Authorization Group
ACTVT Activity
S_PROGRAM P_GROUP EHINCXML (XML reports)
EHFNDPRG (Foundation programauthorization)
EHFNDWFT(Workflow tools)
EHHSSINC (Incidentmanagement)
Authorization group ABAP/4program
P_ACTION SUBMIT User action ABAP/4 program
5.4.1.2 Authorization Objects for Managing EHS Risks
The authorization objects under 6.4 and the authorization objects in the table below are relevant for riskassessment.
Table 3 Authorization Objects for Risk Assessment
AuthorizationObject
Field Value Description
EHHSS_AGT
(Agent)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_CTRL
(Control
ACTVT 01 (Create or generate)02 (Change)03 (Display)
Activity
32
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
AuthorizationObject
Field Value Description
Master Data) 06 (Delete)
EHFND_DSC
(DynamicStatementCreation inControl MasterData)
EHFND_DSCC DSC_MAPPING_021 Dynamic StatementCreation enabled fields
EHHSS_JOB
(Job)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHHSS_PEP
(PersonalExposureProfile)
ACTVT 03 (Display) Activity
PERSA Personnel Area
BTRTL Personnel Subarea
EHHSS_RAS
(RiskAssessment,Risks, Controlson Risks andControlInspections)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
A8 (Process mass data)
Activity
RAS_TYPE EHHSS_RAT_ENV (Environment)
EHHSS_RAT_HEA (Health)
EHHSS_RAT_JHA (Job Hazard Analysis)
EHHSS_RAT_SAF (Safety)
Risk Assessment Type
LOCAUTHGRP Location AuthorizationGroup
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
EHHSS_RASP
(Proposal ofHealthSurveillanceProtocol in RiskAssessment)
ACTVT 01 Create or generate
02 Change
03 Display
06 Delete
Activity
HSP_TYPE Health SurveillanceProtocol Type
EHHSS_HSP
(Health
ACTVT 01 Create or generate
02 Change
Activity
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
33© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
AuthorizationObject
Field Value Description
SurveillanceProtocolMaster Data)
03 Display
06 Delete
HSP_TYPE Health SurveillanceProtocol Type
COUNTRY Country Key
REGIO Region (State, Province,County)
S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group
S_PROGRAM P_GROUP EHFNDPRG (Foundation programauthorization)
EHFNDWFT (Workflow tools)
EHHSSRAS (Risk Assessment)
Authorization groupABAP/4 program
P_ACTION SUBMIT User action ABAP/4program
5.4.1.3 Authorization Objects for Managing Chemicals for Healthand Safety Processes
The authorization objects under 5.4 and the authorization objects in the table below are relevant for Chemicals forHealth and Safety Processes.
Table 6 Authorization Objects for Chemicals for Health and Safety Processes
AuthorizationObject
Field Value Description
EHFND_CHM
(Chemical)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_CHA
(ChemicalApproval)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_DCTR
(DefaultControls)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_DSC
(Dynamic
EHFND_DSCC DSC_MAPPING_000 EHFND_DSC
(Dynamic Statement
34
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
AuthorizationObject
Field Value Description
StatementCreation)
DSC_MAPPING_001
DSC_MAPPING_002
DSC_MAPPING_003
DSC_MAPPING_004
DSC_MAPPING_005
DSC_MAPPING_006
DSC_MAPPING_007
DSC_MAPPING_008
DSC_MAPPING_009
DSC_MAPPING_010
DSC_MAPPING_011
DSC_MAPPING_012
DSC_MAPPING_013
DSC_MAPPING_014
DSC_MAPPING_015
DSC_MAPPING_016
DSC_MAPPING_017
DSC_MAPPING_018
DSC_MAPPING_019
DSC_MAPPING_020
DSC_MAPPING_021
Creation)
EHFND_RCH
(RequestChemical)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity(01 and 02 areneeded for using theservice “requestchemical approval”
EHFND_VEN
(Vendor)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHHSS_SI
(SafetyInstruction)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
EHFND_SPL ACTVT 03 (Display)16 (Execute)
Activity
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
35© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
AuthorizationObject
Field Value Description
(SampleManagement)
23 (Maintain)
EHSM_COMP Component of EHSManagement
LOCAUTHGRP LocationAuthorization Group
LOCPLANT Plant ID
LOCCOST Cost Center
LOCCOMP Company Code
LOCBUSAREA Business Area
EHFND_SPLM
(SamplingMethod)
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group
S_PROGRAM P_GROUP EHFNDPRG (Foundation program authorization)
EHFNDWFT (Workflow tools)
EHHSSRAS (Risk Assessment)
Authorization groupABAP/4 program
P_ACTION SUBMIT User action ABAP/4program
5.4.2 Scenario Product Compliance
5.4.2.1 Authorization Objects for Managing Product Compliance
The authorization objects under 6.4 and the authorization objects in the table below are relevant for productcompliance.
Table 7 Authorization Objects for Product Compliance
Authorization Object Field Value Description
EHPRC_CMWL(ComplianceManagement Worklist(CMWL))
ACTVT 01 (Create or generate)02 (Change)03 (Display)06 (Delete)
Activity
WL_CAT REG_CHG (Follow-Up Regulatory Worklist Category
36
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Authorization Object Field Value Description
Change)
EHPRC_CPM (RCS:Campaign Usage)
ACTVT 01 (Create or generate)02 (Change)03 (Display)
Activity
EHPRC_OLM1 (RCS:Object List Usage)
ACTVT 01 (Create or generate)02 (Change)03 (Display)
Activity
EHPRC_OLGR See IMG activity Specify Object ListGroups under SAP EHSManagement -> ProductCompliance -> GeneralConfiguration
Object List Group
EHPRC_CDO: RCS:Authorization Objectfor Compliance Object
ACTVT 01 Create or generate
02 Change
03 Display
06 Delete
Activity
REQ ComplianceRequirement (Check)
REV_STATUS Compliance DataRevision Status
CDCATEGORY Compliance DataCategory
S_PB_CHIP(ABAP Page Builder:CHIP)
ACTVT 03 (Display)16 (Execute)
Activity
Needed for displayinginformation on the sidepanel
CHIP_NAME X-SAP-WDY-CHIP:/BCV/CHIP*
X-SAP-WDY-CHIP:EHPRC_CW_BCV_CHIP1
Web Dynpro ABAP:CHIP ID
S_PB_PAGE(ABAP Page Builder:Page Configuration)
ACTVT 03 (Display) Activity
Needed for displayinginformation on the sidepanel
CONFIG_ID /BCV/SIDEPANEL ConfigurationIdentification
PERS_SCOPE 1 (User)) Web Dynpro:Personalization
BCV_SPANEL(Execute Side Panel)
ACTVT 16 (Execute) Activity
Needed for displayinginformation on the side
SAP Environment, Health, and Safety ManagementAuthorizationsPublicPublic
Public
37© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Authorization Object Field Value Description
panel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_USAGE(Business ContextViewer usage)
ACTVT US (Use) Activity
Needed for displayinginformation on the sidepanel
BCV_QRYVW(Query View)
ACTVT 03 (Display) Activity
Needed for displayinginformation on the sidepanel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRYVID ID of Query View
BCV_QUERY(Query)
ACTVT 03 (Display) Activity
Needed for displayinginformation on the sidepanel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QRY_ID Query ID
BCV_QUILST(Overview)
ACTVT 03 (Display) Activity
Needed for displayinginformation on the sidepanel
BCV_CTXKEY EHPRC_COMPL_DATA Context Key
BCV_QUIKID ID of Overview
5.5 Critical Combinations
The EHFND_WFT authorization object activates buttons in the BI dashboard Process Dashboard that start anobject-based navigation to the workflow tools. The navigation targets are only delivered with the standard roleSAP_EHSM_PROCESS_ADMIN. In consequence, this authorization shall not be assigned to any users apart fromthose who are assigned the SAP_EHS_PROCESS_ADMIN role.
5.6 Portal Permissions
The SAP EHS Management portal users require at least end user read authorization on the following folder in thePortal Content Directory and its subfolders:
38
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementAuthorizations
Business Objects EHS-Management
Portal Content Content Provided by SAP specialist EHS Management
Portal Content Sandbox EHS Management Role Upload
For more details see the topic “Roles” under https://help.sap.com/ehs Component Extension for SAP EHSManagement Component Extension 5.0 for SAP EHS Management Application Help Foundation for EHSManagement Roles
5.7 Creating Custom Roles
The SAP EHS Management roles that are delivered contain specific configuration such as object-based navigation(OBN). In consequence, customizing these roles has a certain level of complexity. Custom roles can easily becreated as follows without losing their specific configuration:
1. Create your custom PFCG role.
2. Copy the menu structure from the SAP_EHSM_MASTER role or the others that are delivered.
3. Generate the authorization profile.
4. Assign the custom role to end users.
For custom portal roles, the following additional steps are required. Either the custom role is uploaded to theportal by using the Role Upload Tool, or a custom portal role is created directly in the portal as follows:
For custom roles created from the SAP_EHSM_MASTER role:
1. Create the custom portal role as a new portal role.
2. Add the “SAP_EHSM_MASTER” work set as a delta link.
3. Remove all delta links to those services which should not be part of the custom portal role.
4. Assign the custom portal role to end users.
SAP Environment, Health, and Safety ManagementSession Security ProtectionPublicPublic
Public
39© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
6 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommendactivating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevantcookies are transferred.
6.1 Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and to activate the sessionsecurity for the client(s) using the transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTPSecurity Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.
6.2 Session Security Protection on the AS Java
On the AS Java, set the HTTP Provider properties as described in Session Security Protection [SAP Library].
40
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementNetwork and Communication Security
7 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support thecommunication necessary for your business needs without allowing unauthorized access. A well-defined networktopology can eliminate many security threats based on software flaws (at both the operating system level andapplication level) or network attacks such as eavesdropping. If users cannot log on to your application or databaseservers at the operating system or database layer, then there is no way for intruders to compromise the machinesand gain access to the backend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holes in network services onthe server machines.
The network topology for SAP EHS Management is based on the topology used by the SAP NetWeaver platform.Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide alsoapply to SAP EHS Management. Details that specifically apply to SAP EHS Management are described in thefollowing topics:
Communication Channel Security [Page 40]
This topic describes the communication paths and protocols used by SAP EHS Management.
Network Security [Page 42]
This topic describes the recommended network topology for SAP EHS Management. It shows the appropriatenetwork segments for the various client and server components and where to use firewalls for accessprotection. It also includes a list of the ports needed to operate the <scenario, component, application>.
Communication Destinations [Page 43]
This topic describes the information needed for the various communication paths, for example, which usersare used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
Network and Communication Security [SAP Library]
Security Guides for Connectivity and Interoperability Technologies [SAP Library]
7.1 Communication Channel Security
The table below shows the communication channels used by SAP EHS Management the protocol used for theconnection and the type of data transferred.
Communication Path Protocol Used Type of Data Transferred Data Requiring SpecialProtection
NetWeaver Business Client toSAP EHS Managementapplication server
RFC PFCG Roles including theirmenu structure
NetWeaver Business Client toSAP EHS Managementapplication server
HTTPS User Interfaces in Web DynproABAP, POWL, ReportLaunchpad
SAP Environment, Health, and Safety ManagementNetwork and Communication SecurityPublicPublic
Public
41© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Communication Path Protocol Used Type of Data Transferred Data Requiring SpecialProtection
Web Browser to SAP EHSManagement application server
HTTPS User Interfaces in Web DynproABAP, POWL, ReportLaunchpad
Web Browser to SAP EHSManagement application serverif SAP GUI for HTML is used
HTTPS Transactions of SAP EHSManagement Workflow Tools
Frontend client using SAP GUIfor Windows in NetWeaverBusiness Client or Portal toSAP EHS Managementapplication server
DIAG Transactions of SAP EHSManagement Workflow Tools
NetWeaver Business Client toBI System
HTTPS BI queries
Web Browser to BI System HTTPS BI queries
Adobe Flash Player to BIsystem
HTTPS BI dashboards
Forms Processing uses AdobeDocument Service
HTTPS to AdobeDocumentService
XML content of the forms Standard ADS setuprequired
E-mail Inbound Handling SMTP Inbound e-mail with interactiveform as attachment
Standard setup forinbound e-mail
E-mail Outbound Processing(Standard BusinessCommunication Service [BCS]used)
Outbound e-mail withinteractive form as attachment
Standard setup forBCS
RFC Connection to IMDSSystem
RFC IMDS Data, MDS Files, RequestFiles, result Files
SAP Product StewardshipNetwork – integration of an ondemand solution for productcompliance
Web ServiceConsumptionbased on SOAP
Compliance data from SAPProduct Stewardship Network
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connectionsare protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web servicessecurity.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
42
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementNetwork and Communication Security
Caution1. We recommend using the same protocol – either HTTP or HTTPS – consistently in all communication
channels. This means all the deployed objects have to be configured in exactly the same wayregarding HTTP(S) throughout. This is done especially to avoid problems caused by JavaScript-based communication between the single layers.
2. We strongly recommend using the protocol HTTPS instead of HTTP on the communication channelsto protect the transferred data against unauthorized access.
3. We strongly recommend activating Secure Network Communication (SNC) for the non-HTTPcommunication channels to protect the transferred data against unauthorized access.
For more information, see Transport Layer Security at Help.SAP.com and Web Services Security at Help.SAP.comin the SAP NetWeaver Security Guide.
7.1.1 Secure Offline Communication with SAP Interactive Formsby Adobe
The inquiry forms used in incident management can contain sensitive and confidential data. These forms are sentvia e-mail, for example, to an external party (such as a doctor or expert) that is unknown within the system andhas no system account. To protect this data from unauthorized users, encryption becomes necessary. The datato be encrypted is the e-mail text, the PDF data, or both.
If you do not already use an encryption function, you can configure SAPconnect to send e-mails via a secure e-mail gateway application that is capable of encrypting outbound and inbound e-mails. For more information, seeSAP Help Portal for SAP NetWeaver under SAP NetWeaver 7.0 (2004s) SAP NetWeaver LibraryAdministrator’s Guide Technical Operations Manual for SAP NetWeaver Administration of SAP NetWeaverSystems AS ABAP (Application Server for ABAP) Administration SAPconnect Communication Interface.Note that in SAPconnect Communication Interface under More Information, you can find general informationabout SAPconnect.
SAP EHS Management is not delivered with third-party components.
7.2 Network Security
SAP EHS Management is designed to run in the LAN network segment by default. Running SAP EHS Managementin multiple network segments is supported with the options provided by SAP NetWeaver AS ABAP and SAPNetWeaver AS Java.
SAP EHS Management strictly uses the default services and ports of SAP NetWeaver AS ABAP and SAPNetWeaver AS Java for the communication channels. For more information about the services and ports used bySAP NetWeaver, see Network Services [SAP Library] in the SAP NetWeaver Security Guide.
SAP EHS Management requires the Adobe Document Service (ADS) and e-mail processing. There are no furtherrequirements for the default setup.
SAP Environment, Health, and Safety ManagementNetwork and Communication SecurityPublicPublic
Public
43© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
7.3 Ports
SAP EHS Management runs on SAP NetWeaver and uses the ports from the AS ABAP or AS Java. For moreinformation, see the topics for AS ABAP Ports [SAP Library] and AS Java Ports [SAP Library] in thecorresponding SAP NetWeaver Security Guides. For other components, for example, SAPinst, SAProuter, or theSAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which is located on SAPDeveloper Network at http://scn.sap.com/community/security under Infrastructure Security Network andCommunications Security.
7.4 Communication Destinations
The table below shows an overview of the communication destinations used by SAP EHS Management.
Connection Destinations
Destination Delivered Type User, Authorizations Description
<HR system> No RFC HR authorizations of all standardSAP EHS Management user roles
Connection to HR client
<PM system> No RFC PM authorizations of all standardSAP EHS Management user roles
Connection to PM client
<CS system> No RFC CS authorizations of all standardSAP EHS Management user roles
Connection to CS client
<QM system> No RFC QM authorizations of all standardSAP EHS Management user roles
Connection to QM client
<BuPa system> No RFC BuPa authorizations of all standardSAP EHS Management user roles
Connection to businesspartner client
<AC system> No RFC AC authorizations of all standardSAP EHS Management user roles
Connection to AC client
<GRC system> No RFC SAP EHS Management does notprovide GRC authorizations
Connection to GRCclient
<MOC system> No RFC
(3, H)
SAP EHS Management does notprovide MOC authorizations
Connection to MOCclient
(ABAP/3- and HTTP/H-Connection)
For more information about GRC authorizations, see the SAP BusinessObjects Governance, Risk, and Compliance(GRC) Security Guide.
For detailed information about communication destinations, see Customizing for SAP EHS Management underFoundation for EHS Management Integration Specify Destinations for Integration.
For communication details, see also the SAP Interactive Forms Solution Security Guides and the standard setupof SAP Business Workflow.
44
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementData Storage Security
8 Data Storage Security
SAP EHS Management does not store any data itself beyond the data that is stored by the infrastructure used onSAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java.
The data storage security of SAP NetWeaver and components installed on that base is described in the SAPNetWeaver 7.0 Security Guide.
All business data in SAP EHS Management is stored in the system database. This business data is protected bythe authorization concept of SAP NetWeaver and SAP EHS Management. In some special cases, business-relevant data is stored in another location such as a file system. The special cases are listed below:
Whitelists
Depending on the technology you are using, you may encounter security issues when trying to display links thatare not explicitly added to the whitelist. For more information about defining whitelist entries, see the SAPNetWeaver documentation at help.sap.com SAP NetWeaver Business Client 7 Security Aspects 7.8Whitelist.
XML-Export Interface for Non-BW Analytics
The XML-Export Interface for non-BW Analytics exports XML data to the application server on the following logicaldirectory/file name:
Component Logical Directory/File Name
Incident Management EHHSS_BO_XML_EXPORT_PATH / EHHSS_INCIDENTS_XML
You can set the physical location using transaction FILE. The exported XML file can be downloaded from theapplication server. The directories used for the export on the application server and for the file download need tobe protected against unauthorized third-party access, since the export file may contain person-related orotherwise confidential information.
Knowledge Management
SAP EHS Management uses standard SAP NetWeaver (NetWeaver) technology for uploading and downloadingdocuments (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). Thesedocuments are checked into the defined storage system (content repository) using the Knowledge Provider(KPro).
For more information about security with regards to Knowledge Management, see on the SAP ServiceMarketplace service.sap.com/securityguide SAP Knowledge Management Security Guides.
8.1 Person-Related Information
8.1.1 Summary of Tables Containing Person-Related Data
The report RSCRDOMA summarizes the tables containing person-related data. The following data elementsshould be used as input for the report.
SAP Environment, Health, and Safety ManagementData Storage SecurityPublicPublic
Public
45© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Data Element Name Short Text
EHHSS_ABS_FROM_PROXY Absence Read From Proxy
EHHSS_ABS_HR_MASTER_DATA_IND Lock Indicator for HR Master Data Absence Record
EHHSS_ABS_INFOTYP_SAME_VAL_IND Absence Infotype Record with Same Key Value
EHHSS_ABS_LOST_SHIFT_MEAS Shifts Lost During Absence
EHHSS_ABS_OBJECT_ID Absence Object ID
EHHSS_ABS_TYPE_CODE Absence Type
EHHSS_BODY_PART_CODE Injured Body Part
EHHSS_BODY_SIDE_CODE Injured Body Side
EHHSS_DEATH_CAU_TYPE_CODE Cause of Death
EHHSS_DEATH_LOC_TYPE_CODE Location of Death
EHHSS_DEATH_TIME_ZONE Time Zone of Death
EHHSS_DUTY_REST_CAL_DAY_MEAS Actual Calendar Days of Restricted Duty
EHHSS_DUTY_REST_END_DATE Actual End Date of Restricted Duty
EHHSS_DUTY_REST_END_EST_DATE Estimated End Date of Restricted Duty
EHHSS_DUTY_REST_JOB_TRANSF_IND Job Transfer
EHHSS_DUTY_REST_PERMANENT_IND Permanent Restricted Duty
EHHSS_DUTY_REST_START_DATE Start Date of Restricted Duty
EHHSS_DUTY_REST_SUBTYPE_CODE Restricted Duty Type
EHHSS_DUTY_REST_TYPE_CODE Category of Restricted Duty
EHHSS_DUTY_REST_WORK_DAY_MEAS Actual Workdays of Restricted Duty
EHHSS_EMERGENCY_ROOM_TS Emergency Room Treatment
EHHSS_FATALITY_TS Fatal Injury / Illness
EHHSS_HRA_PERS_EMAIL E-Mail Address of Human Resources Administrator
EHHSS_INJ_ILL_MAIN_TS Main Injury / Illness
EHHSS_INJ_ILL_PREVIOUS_TS Previous Injury / Illness
EHHSS_INJ_ILL_REGULATOR_REP_TS Reporting of Injury / Illness Required
EHHSS_INPATIENT_24H_TS Inpatient Treatment (More Than 24 Hrs)
EHHSS_INPATIENT_TS Inpatient Treatment Overnight
EHHSS_ORG_DUR_MEAS Duration at Organization
EHHSS_ORG_DUR_UNIT_CODE Unit of Duration at Organization
EHHSS_PER_INJ_EXT_CASE_ID External Case Number
46
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementData Storage Security
Data Element Name Short Text
EHHSS_PER_INJ_INJ_ORG_PROP_TS Injured on Company's Site
EHHSS_PER_INJ_ON_DUTY_TS Person Injured on Duty
EHHSS_PER_INV_ADDR Address of Involved Person
EHHSS_PER_INV_COMP_DESC Company Description of Involved Person
EHHSS_PER_INV_COMP_ORG_UNIT Organizational Unit of Involved Person
EHHSS_PER_INV_EMAIL E-Mail Address of Involved Person
EHHSS_PER_INV_FIRST_NAME First Name of Involved Person
EHHSS_PER_INV_ID Involved Person
EHHSS_PER_INV_LAST_NAME Last Name of Involved Person
EHHSS_PER_INV_NAME Name of Involved Person
EHHSS_PER_INV_POSITION_DESC Description of Involved Person's Position
EHHSS_PER_INV_TELEPHONE_NUMBER Telephone Number of Involved Person
EHHSS_PER_ROLE_CODE Role of Involved Person
EHHSS_PERSONNEL_NUMBER Personnel Number
EHHSS_RESDU_CON_PAY_END_DATE End Date of Absence Continued Payment
EHHSS_RESDU_END_TIME End Time of Absence or Restriction
EHHSS_RESDU_END_TIME_ZONE Time Zone of Absence or Restriction End
EHHSS_RESDU_START_TIME Start Time of Absence or Restriction
EHHSS_RESDU_START_TIME_ZONE Time Zone of Absence or Job Restriction Start
EHHSS_RESUSCITATION_TS Immediate Resuscitation Performed
EHHSS_STANDARD_JOB_TS Performed Regular Job
EHHSS_TI_PO_DUR_MEAS Duration in Position
EHHSS_TI_PO_DUR_UNIT_CODE Unit of Duration in Position
EHHSS_TIDAT_ORG_START_DATE Start Date of Work at Organization
EHHSS_TIDAT_POS_START_DATE Start Date of Work at Current Position
EHHSS_TIDAT_WOC_START_DATE Start Date of Work at Current Work Center
EHHSS_TRAN_FIRST_AID_CODE Transportation to First Aid
EHHSS_TRAN_FURTHER_CODE Transportation to Further Treatment
EHHSS_TREAT_BEYOND_FI_AID_TS Treatment Beyond First Aid
EHHSS_UNCONSCIOUS_TS Unconsciousness
EHHSS_WO_ACTUAL_END_TIME End of Actual Working Time
SAP Environment, Health, and Safety ManagementData Storage SecurityPublicPublic
Public
47© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
Data Element Name Short Text
EHHSS_WO_ACTUAL_START_TIME Start of Actual Working Time
EHHSS_WO_CE_DUR_MEAS Duration at Work Center
EHHSS_WO_CE_DUR_UNIT_CODE Unit of Duration at Work Center
EHHSS_WO_CEASED_TIME_ZONE Time Zone of Ceased Work
8.1.2 Logging Access to Person-Related Data
If you record incidents involving illnesses or injuries, you enter personal health data into the system. Since thisinformation is potentially sensitive and access to this information is in some cases legally regulated (for example,by the legal requirement Ley Orgánicade de protección de Datos in Spain), your organization can log informationabout when the data was accessed and by whom. For more information about logging access to person-relateddata, see the SAP Note 1576799.
48
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementSecurity for Additional Applications
9 Security for Additional Applications
For security information about Adobe Flash Player used by the BI dashboards, refer to the SAP NetWeaverBusiness Warehouse Security Guide.
For security information about the Embedded Search used by SAP EHS Management, refer to the SAP NetWeaverEnterprise Search 7.2.Security Guide.
SAP Environment, Health, and Safety ManagementDispensable Functions with Impacts on SecurityPublicPublic
Public
49© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
10 Dispensable Functions with Impacts onSecurity
SAP EHS Management can be integrated with HR Time Management in Customizing. If the personnel timemanagement (PT) integration is activated, time data (including absences) from HR is displayed in the incident. Anadditional option is available to directly create HR Absences from the incident. For all actions (such as read orcreate), HR authorizations are checked.
50
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementOther Security-Relevant Information
11 Other Security-Relevant Information
11.1 SAP NetWeaver Business Client as User Front End
For more information about SAP NetWeaver Business Client (SAP NWBC) with PFCG connection, see the SAPNetWeaver documentation on SAP Help Portal at http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0(2004s) SAP NetWeaver 7.0 Library (Including Enhancement Package 2) SAP NetWeaver Library SAPNetWeaver by Key Capability Application Platform by Key Capability ABAP Technology SAP NetWeaverBusiness Client Security Aspects.
11.2 Documents (including Virus Scanner)
SAP EHS Management uses standard SAP NetWeaver (NetWeaver) technology for uploading and downloadingdocuments (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). Thesedocuments are checked into the defined storage system (content repository) using the Knowledge Provider(KPro).
Using the standard NetWeaver technology, you can use the standard NetWeaver virus scan interface (VSI) tocheck documents (including attachments) for viruses. To do this, you must have installed and configured a virusscanner. It is highly recommended that you integrate a virus scanner. For more information, see SAP Help Portalat http://help.sap.com NetWeaver <Release> SAP NetWeaver Library SAP NetWeaver by KeyCapability Security SAP NetWeaver Security Guide Security Guides for SAP NetWeaver According toUsage Types SAP NetWeaver Application Server ABAP Security Guide Security Issues for Web Dynpro ABAP
Virus Scan Interface.
For more information about security with regards to Knowledge Management, see SAP Service Marketplace atservice.sap.com/securityguide SAP Knowledge Management Security Guides.
11.3 Forms and E-Mails Containing Java Script
The Interactive forms of SAP EHS Management can contain Java Script. Therefore, Java Script must be enabledin Adobe Acrobat Reader.
In addition, e-mails with PDF attachments that contain Java Script must not be filtered out in the e-mail inboundand outbound process.
SAP Environment, Health, and Safety ManagementSecurity-Relevant Logging and TracingPublicPublic
Public
51© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
12 Security-Relevant Logging and Tracing
SAP EHS Management uses all logging and tracing functionality provided by the SAP NetWeaver AS ABAP and ASJava. Refer to the NetWeaver Security Audit and Logging documentation at http://help.sap.com SAPNetWeaver SAP NetWeaver 7.0 (2004s) SAP NetWeaver 7.0 Library (Including Enhancement Package 2) SAP NetWeaver Library Administrator’s Guide SAP NetWeaver Security Guide Auditing and Logging.
The inbound e-mail process logs the data in the application log. For more information about the object andsubobject, see Customizing for SAP EHS Management under Incident Management Print Forms and InteractiveForms Define Inbound Processing for E-Mails.
For more information about the logging of health data, see 8.1.2
52
Public© 2014 SAP SE or an SAP affiliate company. Allrights reserved.
SAP Environment, Health, and Safety ManagementServices for Security Lifecycle Management
13 Services for Security LifecycleManagement
The following services are available from Active Global Support to assist you in maintaining security in your SAPsystems on an ongoing basis.
13.1 Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAPNotes, the report should be able to help you decide on how to handle the individual cases.
Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,correct the situation. If you consider the situation okay, you should still check for any significant changescompared to former EWA reports.
Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
13.2 Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
Critical authorizations in detail
Security-relevant configuration parameters
Critical users
Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-siteservice. We recommend you use it regularly (for example, once a year) and in particular after significant systemchanges or in preparation for a system audit.
13.3 Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliancewith predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
SAP Environment, Health, and Safety ManagementServices for Security Lifecycle ManagementPublicPublic
Public
53© 2014 SAP SE or an SAP affiliate company. All rights
reserved.
configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gatewayconfiguration or making sure standard users do not have default passwords.
13.4 Security in the RunSAP Methodology / Secure OperationsStandard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on howto operate SAP systems and landscapes in a secure manner. It guides you through the most important securityoperation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.
13.5 More Information
For more information about these services, see:
EarlyWatch Alert: http://service.sap.com/ewa
Security Optimization Service / Security Notes Report: http://service.sap.com/sos
Comprehensive list of Security Notes: http://service.sap.com/securitynotes
Configuration Validation: http://service.sap.com/changecontrol
RunSAP Roadmap, including the Security and the Secure Operations Standard:http://service.sap.com/runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)
www.sap.com/contactsap
Copyright
© 2014 SAP SE or an SAP affiliate company.All rights reserved.
No part of this publication may bereproduced or transmitted in any form or forany purpose without the express permissionof SAP SE. The information contained hereinmay be changed without prior notice.
Some software products marketed by SAPSE and its distributors contain proprietarysoftware components of other softwarevendors.
National product specifications may vary.
These materials are provided by SAP SE andits affiliated companies (“SAP Group”) forinformational purposes only, withoutrepresentation or warranty of any kind, andSAP Group shall not be liable for errors oromissions with respect to the materials. Theonly warranties for SAP Group products andservices are those that are set forth in theexpress warranty statements accompanyingsuch products and services, if any. Nothingherein should be construed as constitutingan additional warranty.
SAP and other SAP products and servicesmentioned herein as well as their respectivelogos are trademarks or registeredtrademarks of SAP SE in Germany and othercountries. Please seewww.sap.com/corporate-en/legal/copyright/index.epx#trademark foradditional trademark information andnotices.