sbop bpc 75 nw security guide
TRANSCRIPT
Security GuideSAP BusinessObjects Planning and Consolidation 7.5version for SAP NetWeaver
Target Audience ■ Technical Consultants ■ System Administrators
PUBLICDocument version: 2:0 – 2010-06-15
SAP AGDietmar-Hopp-Allee 16
69190 WalldorfGermany
T +49/18 05/34 34 34F +49/18 05/34 34 20
www.sap.com
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
DisclaimerSome components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.
2/42 PUBLIC 2010-06-15
Typographic Conventions
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.
ExampleExample
Arrows separating the parts of a navigation path, for example, menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example ■ Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.
■ Cross-references to other documentation or published works
Example ■ Output on the screen following a user action, for example, messages ■ Source code or syntax quoted directly from a program ■ File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
2010-06-15 PUBLIC 3/42
Document History
CAUTION
Before you start the implementation, make sure you have the latest version of this document.
You can find the latest version at the following location: http://service.sap.com/
securityguide.
The following table provides an overview of the most important document changes.
Version Date Description
1.0 2009-12-15 First Version
2.0 2010-06-15 This is the update for SP03. For detailed information, refer to the appropriate SAP central note.
4/42 PUBLIC 2010-06-15
Table of Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 4 Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.1 User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2 Authenticating through CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.3 Authenticating through Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.4 Setting Up Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.5 Setting Up Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.6 Authorization Objects for SAP Business Explorer . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.1 Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.2 Member Access Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 8 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 9 Dispensable Functions that Affect Security . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 10 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2010-06-15 PUBLIC 5/42
This page is left blank for documents that are printed on both sides.
1 Introduction
This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software
life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data
and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation on your system should not result in
loss of information or processing time. These demands on security apply likewise to Planning and
Consolidation. To assist you in securing your system, we provide this Security Guide.
About This Document
The Security Guide provides an overview of the security-relevant information that applies to the system
Overview of the Main Sections
The Security Guide comprises the following main sections:
■ Before You Start
This section contains references to other Security Guides that build the foundation for this Security
Guide.
■ Technical System Landscape
This section contains a link to more information about the system landscape.
■ Security Overview
This section explains the initial users in the system and default authorizations. The section also
provides an overview of the high-level steps needed to establish Planning and Consolidation
security.
■ User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
● Active Directory domain considerations
● User setup
● Team setup
1 Introduction
2010-06-15 PUBLIC 7/42
■ Authorizations
This section provides details on the authorization concept that applies to Planning and
Consolidation.
■ Network and Communication Security
This section provides an overview of the network topology and communication protocols used
by the application.
■ Data Storage Security
This section describes the security aspects involved with saving data used by the application.
■ Dispensable Functions with Impact on Security
This section describes which functions are not absolutely necessary and how you can deactivate
them.
■ Trace and Log Files
This section provides a link to where trace and log files are located.
1 Introduction
8/42 PUBLIC 2010-06-15
2 Before You Start
Fundamental Security Guides
For a complete list of the available SAP Security Guides, see http://service.sap.com/
securityguide on the SAP Service Marketplace.
Important SAP Notes
The most important SAP Notes that apply to the security of the system are shown in the table below.
Important SAP Notes
SAP Note Number Title Comments
1410517 SAP Planning and Consolidation 7.5 SP00, version for the NetWeaver platform
This is the Central Note for Planning and Consolidation 7.5.
1409989 SAP Planning and Consolidation 7.5 SP01, version for the NetWeaver platform
This is the Central Note for Planning and Consolidation 7.5, Service Pack 01.
1433411 SAP Planning and Consolidation 7.5 SP02, version for the NetWeaver platform
This is the Central Note for Planning and Consolidation 7.5, Service Pack 02.
1453797 SAP Planning and Consolidation 7.5 SP03, version for the NetWeaver platform
This is the Central Note for Planning and Consolidation 7.5, Service Pack 03.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content Quick Link on the SAP Service Marketplace or SDN
Security http://sdn.sap.com /irj/sdn/security
Security Guides https://service.sap.com/securityguide
Related SAP Notes https://service.sap.com/notes
Released Platforms https://service.sap.com/pam
Network Security https://service.sap.com/securityguide
SAP Solution Manager https://service.sap.com/solutionmanager
SAP NetWeaver http://sdn.sap.com /irj/sdn/netweaver
2 Before You Start
2010-06-15 PUBLIC 9/42
This page is left blank for documents that are printed on both sides.
3 Technical System Landscape
For information about the technical system landscape, see the Master Guide from http://
service.sap.com/instguidescpm-bpc 7.5, version for SAP NetWeaver .
3 Technical System Landscape
2010-06-15 PUBLIC 11/42
This page is left blank for documents that are printed on both sides.
4 Security Overview
This section describes the security features included with Planning and Consolidation.
Features
Security Upon Initial System Installation
When you first install the system, the following items apply:
■ The installation user can access Server Manager locally on the application server, and access the
Administration Console and Administration for the Web from any client machine. (After
additional users are defined, they can also access the administration features remotely.)
■ The system administrator can perform all administrative tasks, but does not have any access to
members.
■ There are no other users defined. See User Setup [page 18].
■ There is one Admin team defined that can be used as a sample. See Team Setup [page 18].
■ There is one sample task profile that has full Administration privileges (PrimaryAdmin), and
another sample task profile that has full Administration privileges and dimension access
(SysAdmin). See Team Setup [page 18].
■ Administrators must specifically assign task profiles to users or teams of users before they can access
any tasks. Similarly, if they do not assign member access profiles to users or teams to define access
to members of a secured dimension, no one has access to that dimension. See Member Access Profile
Setup [page 27].
Steps to Define Security
Defining security involves the following steps:
■ Name each user. See User Setup [page 18].
■ Assign users to teams. See Team Setup [page 18].
■ Assign task profiles to users or teams. See Task Profile Setup [page 21].
■ Assign member access profiles to users or teams. See Member Access Profile Setup [page 27].
Security Audit Files
All security-related changes, such as adding, changing, and deleting users, teams, task profiles and
member profiles can be audited by Planning and Consolidation.
4 Security Overview
2010-06-15 PUBLIC 13/42
Administrators control whether activity auditing on administration tasks (including security tasks) is
enabled or not. If enabled for administration tasks, all administration tasks are audited (see Activity
Auditing in the Application Help for more information).
To enable activity auditing for Administration tasks, you choose Manage Activity Audit from the
Administration from the Web interface, then choose Administration Activity. Once the system records an activity,
you can run a report that shows activity based on specified criteria (see Reporting on Activity Auditing in the
Application Help).
Emergency User
When normal access to the system is no longer available, SAP customers can log on to the .NET server
as SysAdmin (or other operating system users with administrative rights) to repair the Planning and
Consolidation installation. For access to the ABAP server, see the NetWeaver Security Guide.
4 Security Overview
14/42 PUBLIC 2010-06-15
5 User Administration and Authentication
There are two authentication methods available in Planning and Consolidation:
■ SAP BusinessObjects User Management System (CMS)
■ Microsoft Windows (Active Directory)
During the installation of the Planning and Consolidation server, you specify which authentication
method is appropriate for your needs.
NOTE
If you are currently authenticating through Active Directory, there is a migration tool available
that allows you to convert your users over to authenticate through CMS. For more information,
see the Operations Guide.
This section contains information about user administration and authentication in the following topics:
■ User Authentication Process
■ Authenticating through CMS
■ Authenticating through Active Directory
■ Setting up Users
■ Setting up Teams
■ Authorization Objects for SAP Business Explorer
5.1 User Authentication Process
This section describes how users are authenticated from the Office and Web clients.
Authentication of Office Clients
1. From the Logon window, credentials are either taken from the Windows operating system, or they
must be entered using an alternate ID. In the latter case, the user enters a domain, user ID, and
password.
2. The client creates a stub to call the Planning and Consolidation .NET Web server. This is configured
to use the credentials supplied by the user during logon.
5 User Administration and Authentication
5.1 User Authentication Process
2010-06-15 PUBLIC 15/42
3. The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
4. The system validates that the user connecting to the Web server is the same user identified by the
credentials.
5. The Web server calls the Planning and Consolidation authentication service to validate the user
credentials. If CMS has been configured, the user credentials are validated against the
BusinessObjects Enterprise SDK. If CMS authentication is not used, the user credentials are
validated directly against Active Directory. For more details, see Authenticating through CMS [page
17] and Authenticating through Active Directory [page 17].
6. If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
7. If the user is authenticated successfully, the Web server sends the results to the Planning and
Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401 error.
Authentication of Web Clients
1. The user navigates to the Planning and Consolidation home page. The Web server uses IIS Windows
(Integrated or Basic) authentication. If the user credentials are not valid, Windows prompts the
user to enter a user ID and password.
2. The client creates a stub to call the Planning and Consolidation application server.
3. The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
4. The system validates that the user connecting to the Web server is same user identified by the
credentials.
5. The system calls the Planning and Consolidation authentication service to validate credentials.
6. If CMS has been configured, the user credentials are validated against the BusinessObjects
Enterprise SDK. If CMS authentication is not used, the user credentials are validated directly against
Active Directory. For more details, see Authenticating through CMS [page 17] and Authenticating through
Active Directory [page 17].
7. If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
8. If the user is authenticated successfully, the application server sends the results to the Planning
and Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401
error.
5 User Administration and Authentication
5.1 User Authentication Process
16/42 PUBLIC 2010-06-15
5.2 Authenticating through CMS
The BusinessObjects Enterprise (BOE) SDK and Central Management Server (CMS) subsystem provides
additional authentication options that are not available in Active Directory, including single sign-on
(SSO). Using SSO means that you do not need to provide authentication information when moving
between Planning and Consolidation and other applications such as Xcelsius or Infoview. CMS
maintains a database of information about BOE (in the CMS database), and manages security, including
access rights and authentication.
The following diagram shows the BOE SDK and CMS architecture.
Figure 1: BusinessObjects SDK & CMS
5.3 Authenticating through Active Directory
If authenticating users through Active Directory, and a user ID is added to the system with a domain
name (for example, PC\hsmith), the system assumes the user ID is maintained within Active Directory.
(If not on a domain, users must be valid Windows users on the .NET application server.) When the user
logs on, the system validates the password against Active Directory.
NOTE
In Server Manager, you can specify specific domains that are being used for Planning and
Consolidation users. In addition, filters can be applied to those domains to select specific users
from them. For more information, see the Operations Guide.
5 User Administration and Authentication
5.2 Authenticating through CMS
2010-06-15 PUBLIC 17/42
When you are adding new users from a domain to the system, you have the ability to select one
of the user-defined groups, and customize it further, if required.
When setting up users on the system, take the following considerations into account:
■ We recommend that all users come from a single domain.
■ We recommend that all users have access to the domain the server is on. If they do not have direct
access, the domain must be trusted between the server and user domain.
■ The installation user must have rights to browse the users from all user domains.
5.4 Setting Up Users
You can add new users and assign them to teams, task profiles, and member access profiles.
If you are not using the default task or member access profiles and have not set them up yet, we
recommend that you define them before adding users. You might also want to create teams, so you
can assign the newly added users to the appropriate teams.
Alternatively, when you define the teams and profiles, you can assign users to them at that time.
FeaturesAdding Users
You can add users in the Admin Console. To do so, choose Security Users , then expand the domain
name. In the Manage Users action pane, select Add New User, then enter the required data to specify the
domain, e-mail address, teams, task profiles, and member access profiles.
Modifying Users
You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a
user. In the Manage Users Options task pane, choose Modify the selected user's definition. Follow the prompts in
the assistant.
NOTE
You can enable the server to be Sarbanes-Oxley compliant if you want all clients that access the
server to challenge users for a user name and password. See the Server Manager section of the
Application Help located at http://help.sap.com/epm.
5.5 Setting Up Teams
You can set up and maintain teams of users. When you assign security to a team, the security works
collectively on the team members. This allows you to set up task-based or member–based security for
several users at the same time. Teams are not required to successfully process security.
5 User Administration and Authentication
5.4 Setting Up Users
18/42 PUBLIC 2010-06-15
Features
Adding teams
To add a team, in the Admin Console by selecting Security Teams Add New Team . Enter data as
required.
Assigning team leaders
Assigning a team leader is useful when you want to give one person from the team special access rights,
for example, the rights to save templates to the team folder. A team leader that has ManageTemplate
privileges can save templates to their respective team folder. For more information, see the
ManageTemplate task in Task Profile Setup [page 21].
In addition, a team leader is the only one who can save Data Manager conversion and transformation
files. See TeamLeadAdmin in Task Profile Setup [page 21].
To assign a team leader, in the Admin Console select Security Teams , and select the desired user
from the team list.
Modifying teams
You can modify the definition of an existing team. When modifying a team, you can change everything
except the team name.
To modify a team definition, in the Admin Console select Security Teams . Select the team then
click Modify the selected team's definition. Follow the prompts in the assistant to revise the team definition,
revise selected team members, or assign different task and member access profiles.
5.6 Authorization Objects for SAP Business Explorer
For reporting through SAP Business Explorer (BEx), users must logon to the SAP backend system.
Authorization objects for each user must be maintained in that system.
The following table describes the authorization objects that are required.
Authorization Object Technical Name Description
BEx – Components S_RS_COMP Authorization for using different components for the query definition
BEx – Components S_RS_COMP1 Authorization for queries from specific owners
BEx – Components S_RS_FOLD Display authorization for folders
BEx – Individual Tools S_RS_TOOLS Authorization for individual Business Explorer tools
BEx – Enterprise Reports S_RS_ERPT Authorization for BEx enterprise reports
BEx – Enterprise Report Reusable Elements
S_RS_EREL Authorization for reusable elements of a BEx enterprise report
5 User Administration and Authentication
5.6 Authorization Objects for SAP Business Explorer
2010-06-15 PUBLIC 19/42
BEx – Data Access Services S_RS_DAS Authorizations for working with data access services
BEx – Web Templates S_RS_BTMP Authorization for working with BEx Web templates
BEx – Reusable Web Items S_RS_BITM Authorization for working with BEx Web items
BEx Information Broadcasting Authorization for Scheduling
S_RS_BCS Authorization for registering broadcast settings for execution
BEx Texts (Maintenance) S_RS_BEXTX Authorization for maintaining BEx texts
5 User Administration and Authentication
5.6 Authorization Objects for SAP Business Explorer
20/42 PUBLIC 2010-06-15
6 Authorizations
Authorization is defined by task profiles and member access profiles:
■ Task profiles define what type of activities or tasks a user or a team of users can perform.
■ Member access profiles define the specific applications to which users have access.
6.1 Task Profile Setup
A task profile defines the type of activities or tasks a user or a team of users can perform in Planning
and Consolidation. After creating a task profile, you assign it to one or more users. You can add tasks
to a profile as needed.
Features
Administrator Roles
A role is a predefined set of administration tasks. If you want to assign a user one or more administration
tasks, you must assign them one of the predefined administrator roles. Without one of these role
assignments, the user cannot perform any administrator tasks.
The three administrator roles are:
■ System Admin
■ Primary Admin
■ Secondary Admin
Default task rights
A System Administrator (System Admin), by default, has the following task rights:
■ Appset
■ DefineSecurity
A Primary Administrator (Primary Admin), by default, has the following task rights:
■ Application
■ BusinessRules
■ DefineSecurity
■ Dimensions
■ Lockings
■ ManageAudit
6 Authorizations
6.1 Task Profile Setup
2010-06-15 PUBLIC 21/42
■ ManageComments
■ ManageContentLibrary
■ ManageDistributor
■ ManageLiveReport
■ ManageTemplates
■ Misc
■ UpdateToCompanyFolder
■ WebAdmin
A Secondary Administrator (Secondary Admin), by default, has the following task rights:
■ Dimensions
Administration Task Profile Descriptions
The following table describes the available tasks in the Administration interface:
Task Can be assigned to Description
Application Only the primary administrator (default) Can create, modify, and delete applications in this application set, make changes to dimensions and add dimensions, and optimize applications.
Appset System administrator, by default, but can be assigned to primary administrator
Can create new application sets, modify application sets, and set application set parameters (in Web Admin Tasks).
Business Rules Primary administrator, by default, but can be assigned to secondary administrator
Define business rules.
Dimension Only primary and secondary administrators (default)
Create, modify, process, and delete dimensions and members.
Lockings Primary administrator, by default, but can be assigned to secondary administrator
Define and edit work status codes.
ManageDrillThrough Primary administrator, by default, but can be assigned to secondary administrator
Create and modify drill-through setup.
Misc Primary administrator, by default, but can also be assigned to system and secondary administrators.
View application set status.
AnalysisCollection Task Profile Descriptions
The following table describes the available tasks in the AnalysisCollection interface:
Task Can be assigned to Description
eAnalyze Anyone Access, manage, and edit ad hoc and audit reports.
EditDynamicHierarchy Anyone A user with this task can edit dynamic hierarchy structures.
6 Authorizations
6.1 Task Profile Setup
22/42 PUBLIC 2010-06-15
ManageTemplate Anyone A user with this task can access templates from the company folder, and restrict workbook options.A team member or team leader with this task can access and save templates to their respective team folder.
OpenWordPptFiles Anyone A user with this task can open Microsoft Word and Microsoft PowerPoint files.
SaveWordPptFiles Anyone A user with this task can save Microsoft Word and Microsoft PowerPoint files.
SubmitData Anyone Can access the build input schedules and send data. Can use spread, weight, and trend options. Can post documents with application context to the Content Library.
Audit Task Profile Descriptions
The following table describes the available tasks in the Audit interface:
Task Can be assigned to Description
ManageAudit Anyone Can manage activity and data auditing.
Business Process Flows Task Profile Descriptions
The following table describes the available tasks in the Business Process Flow interface:
Task Can be assigned to Description
BPFExecution Anyone This user or team can execute business process flow tasks.
ManageBPF Only the primary administrator (default) This user or team can create, modify, and delete business process flows.
Collaboration Task Profile Descriptions
The following table describes the available tasks in the Collaboration interface:
Task Can be assigned to Description
ManageDistributor Anyone This user or team can use the Offline Distributor.
PublishOffline Anyone This user or team collects changes to offline input schedules and sends data to a database.
Comments Task Profile Descriptions
The following table describes the available tasks in the Comments interface:
Task Can be assigned to Description
AddComment Anyone This user or team can add comments.
ManageComments Anyone This user or team can remove comments.
Data Manager Task Profile Descriptions
6 Authorizations
6.1 Task Profile Setup
2010-06-15 PUBLIC 23/42
The following table describes the available tasks in the DM interface:
Task Can be assigned to
Description
Execute Anyone This user or team can manage Data Manager packages: ■ Data upload ■ Data download ■ Data Preview ■ Clear saved prompts ■ View status based on user ID ■ View schedule status based on user ID ■ Run Specific package ■ Run user package ■ Validate & Process conversion files for company ■ Validate & Process transformation files for company ■ Maintain status based on user ID ■ View status
CalculateOwnership Anyone This user or team can run the Data Manager package Calculate Ownership.
GeneralAdmin Anyone This user or team can perform tasks such as: ■ New Transformation ■ Test transformation with data ■ New Conversion ■ New Conversion Sheet ■ Transformation ■ Save ■ Save Transformation As ■ Save Conversion ■ Save Conversion As
PrimaryAdmin Anyone Can perform the following default PrimaryAdmin tasks: ■ Manage transformation files for company and Validate & Process ■ Manage conversion files for company and Validate & Process ■ Packages that against the fact table directly are limited to admin ■ Manage team package access ■ Organize package list ■ Maintain status regardless of user ID ■ Run admin package
TeamLeadAdmin Anyone Can perform the following tasks: ■ Open transformation files from team folder and validate & process ■ Open conversion files from team folder and validate & process ■ Perform a data preview from the team folder ■ Perform a data upload from the team folder
6 Authorizations
6.1 Task Profile Setup
24/42 PUBLIC 2010-06-15
■ Perform a data download from the team folder
NOTE
These tasks cannot be performed on the Company folder.
TeamLeadAdmin Team Leader ■ All tasks described in TeamLeadAdmin, above ■ Save transformation files ■ Save conversion files
FileAccess Task Profile Descriptions
The following table describes the available tasks in the FileAccess interface:
Task Can be assigned to
Description
UpdateToCompanyFolder Anyone A user, team member, or team leader with this task can save templates to the company folder, but they must also have ManageTemplate rights.
Journal Task Profile Descriptions
The following table describes the available tasks in the Journal interface:
Task Can be assigned to Description
AdminJournal Anyone Can manage journals as follows: ■ Create and maintain journal templates ■ Clear journal tables ■ Create Journal
CreateJournal Anyone Can create or modify journal entries.
PostJournals Anyone Can post journals.
ReviewJournals Anyone Can review journals
UnpostJournals Anyone Can unpost journal entries.
Security Task Profile Descriptions
The following table describes the available tasks in the Security interface:
Task Can be assigned to
Description
DefineSecurity Only system and primary administrators (by default).
Can manage users, task, and member access profiles.
CAUTION
We recommend that you restrict access of this task to a few privileged users.
ViewSystemReport Task Profile Descriptions
The following table describes the available tasks in the ViewSystemReport interface:
6 Authorizations
6.1 Task Profile Setup
2010-06-15 PUBLIC 25/42
Task Can be assigned to Description
AuditReport Anyone This user or team can create audit reports.
SecurityReport Anyone This user or team can create security reports.
CommentReport Anyone This user or team can run a comment report.
JournalReport Anyone This user or team can run a journal report.
Workstatus report Anyone This user or team can run a work status report.
WorkStatus Task Profile Descriptions
The following table describes the available tasks in the WorkStatus interface:
Task Can be assigned to Description
SetWorkStatus Anyone This user or team creates work status on a data region.
ZFP Task Profile Descriptions
The following table describes the available tasks in the Web interface:
Task Can be assigned to
Description
AccessContentLib Anyone This user or team can access, filter, and sort, and add pages to the Content Library in the Web interface.
CreateWebPage Anyone This user or team can create new web pages in the Web interface.
LiveReport Anyone This user or team can access live reports in the Web interface.
ManageContentLib Anyone Can manage all items in the Content Library.
ManageLiveReport Anyone This user or team allows you to manage live reports using drag & drop in the Web interface.
WebAdmin Anyone Can do the following in Web Admin Tasks: ■ Set application parameters ■ Manage dimensions (make changes to existing dimensions based
on dimension) ■ Manage document types and subtypes ■ Publish Non-Planning and Consolidation reports
Adding a Task Profile
To create a new task profile in the Admin Console, choose Security Task Profiles . Enter data as
required.
Tips for Assigning Task Profiles
■ The number of task profiles administrators can assign to a user is not limited. However, we
recommend that you do not assign multiple task profiles to users because it may cause confusion
in determining their ultimate access rights.
Task access security is cumulative, and tasks cannot be explicitly denied. As a result, assigning
multiple task profiles can create a situation where users have access to tasks that you may not want
6 Authorizations
6.1 Task Profile Setup
26/42 PUBLIC 2010-06-15
them to have. For example, an administrator wants UserA to only retrieve data. If UserA belongs
to a team that possesses data-send task rights, UserA can also send data.
■ Administrators can assign multiple task profiles to a team. However, we recommend that you do
not assign multiple task profiles to a team because it may cause confusion in determining the
ultimate access rights of that team.
6.2 Member Access Profile Setup
You must define a member access profile for all secured dimensions of an application. If no profile is
defined for a secured dimension, the users assigned to the profile do not have access rights to that
application. If you partially define access, for example, for one of two secured dimensions, users are still
denied access to the application.
After creating a Member Access profile, you assign it to users as needed.
FeaturesGeneral Rules for Member Access Security
Member access security is based on the following rules:
■ By default, no one other than the system administrator has access to members. Member access
must be explicitly granted.
■ A user can be assigned member access individually and through team membership.
■ Member access privileges flow down the hierarchy, from parent to child.
■ When in conflict, the least restrictive member access profile is applied.
■ In case of a conflict between individual and team member access, the least restrictive setting is
applied.
■ Denial of member access can be set only at the user level.
Defining Access to Members with Children
When defining access to a secured dimension that has one or more defined hierarchies, security is
applied to the member and all of its children. For example, if you grant access to a member that has 10
children, users with access to the parent member also have access to the 10 children.
You can restrict a child member of a parent with ‘Read’ or ‘Read and Write’ access by creating a separate
member access profile and assigning the child ‘Denied’ access. Alternatively, you can use the same
member access profile as the parent, but create a new line item for the child.
Creating Member Access Profiles
You can add member access profiles from the Admin Console by choosing Security Member Access
Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile
assistant. Be sure to choose Apply to process the new member access profiles
6 Authorizations
6.2 Member Access Profile Setup
2010-06-15 PUBLIC 27/42
Modifying Member Access Profiles
You can modify an existing member access profile by selecting Modify the selected profile definition in the
Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.
Resolving Member Access Profile Conflicts
Since you can define member access by individual users and by teams, there may be situations in which
conflicts occur. The following topics describe some potential member access conflict scenarios and the
rules the system applies to resolve those conflicts. These scenarios are based on the assumption that
the Entity dimension is a secured dimension and has the following hierarchical structure:
Hierarchy Members
H1 WorldWide1 Sales SalesAsia SalesKoreaSalesJapanESalesAsia
SalesEurope SalesItalySalesFranceESalesEurope
H2 WorldWide2 Asia Korea SalesKorea
Japan SalesJapan
eAsia ESalesAsia
Europe Italy SalesItaly
France SalesFrance
eEurope ESalesEurope
Conflict Between Profiles
When there is a conflict between member access profiles, the least restrictive profile is always applied.
This section describes three different scenarios where there are conflicts between profiles.
EXAMPLE
Scenario 1:
■ User1 belongs to Team1 and Team2.
■ There are two member access profiles: ProfileA and ProfileB.
■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileB Read Only Entity SalesAsia
6 Authorizations
6.2 Member Access Profile Setup
28/42 PUBLIC 2010-06-15
In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As a
result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and
SalesItaly.
EXAMPLE
Scenario 2:
■ User1 belongs to Team1 and Team2
■ There are two member access profiles: ProfileA and ProfileB.
■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileB Read & Write Entity SalesAsia
In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for the
child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to send
data to SalesKorea, but not to SalesItaly.
EXAMPLE
Scenario 3:
■ User1 does not belong to any team.
■ There are two member access profiles: ProfileA and ProfileB.
■ Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Denied Entity SalesAsia
ProfileB Read Only Entity Sales
In this case, the least restrictive profile between the two, ProfileB (Read Only), is applied. As a
result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea
and SalesItaly.
Conflict Between Parent and Child Members
Authority always flows down the hierarchy from parent to child. Child members always have the access
level of their parents, unless otherwise specified.
6 Authorizations
6.2 Member Access Profile Setup
2010-06-15 PUBLIC 29/42
EXAMPLE
Scenario 1:
■ User1 belongs to Team1 and ProfileA is assigned to Team1.
■ Two levels of member access profiles are defined for ProfileA.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileA Read Only Entity SalesAsia
In this case, the Read & Write access of the Sales member flows down to its children. This flow is
interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s
access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not
to SalesKorea.
EXAMPLE
Scenario 2:
■ User1 belongs to Team1 and ProfileA is assigned to Team1.
■ ProfileA has two levels of member access profiles.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileA Read & Write Entity SalesAsia
In this case, the Read Only access of the Sales member flows down to its children. This flow is
interrupted by assigning Read & Write access to SalesAsia (a descendant of Sales), and SalesAsia’s
access flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not
to SalesItaly.
Conflict When the Same Member Belongs to Different Hierarchies
When a member belongs to different hierarchies, and there is a conflict in member access, the most
restrictive access is applied.
EXAMPLE
Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described in
the following table:
Member access profile Access Dimension Member
6 Authorizations
6.2 Member Access Profile Setup
30/42 PUBLIC 2010-06-15
ProfileA Read Only Entity WorldWide1
ProfileB Read & Write Entity WorldWide2
In this case, ProfileB determines User1’s access. As a result, User1 is able to send data to SalesKorea,
even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).
6 Authorizations
6.2 Member Access Profile Setup
2010-06-15 PUBLIC 31/42
This page is left blank for documents that are printed on both sides.
7 Network and Communication Security
Your network infrastructure is important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized access.
A well-defined network topology can eliminate many security threats based on software flaws (at both
the operating system and application level) or network attacks such as eavesdropping. If users cannot
log on to your application or database servers at the operating system or database layer, then there is
no way for intruders to compromise the machines and gain access to the backend system’s database or
files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot
exploit well-known bugs and security holes in network services on the server machines.
The network topology for Planning and Consolidation is based on the topology used by the SAP
NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP
NetWeaver Security Guide also apply to Planning and Consolidation. Details that specifically apply to
Planning and Consolidation are described in the following topics:
■ Communication Channel Security
This topic describes the communication paths and protocols used by the application.
■ Network Security
This topic describes the recommended network topology for the application. It shows the
appropriate network segments for the various client and server components and where to use
firewalls for access protection.
For more information, see the following sections in the SAP NetWeaver Security Guide:
■ Network and Communication Security
■ Security Guides for Connectivity and Interoperability Technologies
7.1 Communication Channel Security
The table below shows the communication paths used by the application, the protocol used for the
connection, and the type of data transferred.
7 Network and Communication Security
7.1 Communication Channel Security
2010-06-15 PUBLIC 33/42
Communication Paths
Communication Path Protocol Used Type of Data TransferredData Requiring Special Protection
Client and .NET web/app server
HTTP/HTTPS Client requests and server responses
PasswordsProprietary business financial and performance metrics
.NET web/app server and NetWeaver server
RFC (through the SAP RFC Connector)
Client requests and server responses
Passwords,Proprietary business financial and performance metrics
.NET web/app server and Windows Active Directory
TCP/IP Windows native behavior Proprietary business financial and performance metrics
NetWeaver application server and NetWeaver databases
Details are covered in the SAP NetWeaver Security Guide.
Client and Windows Active Directory (Optional)
TCP/IP Windows native behavior Proprietary business financial and performance metrics
NOTE
Communication with the Windows Active Directory is done by the native Windows Operation
System.
We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic
authentication to access the .NET web/application server.
The RFC destination is used for after-import transactions for transports on the ABAP side, and
must be configured exclusively for the Planning and Consolidation application. For more
information on creating the RFC destination, see the Configuring the ABAP Component
section of the Installation Guide.
For information about application ports, see the Server Options section in the Operations Guide or
the Installation Guide.
7.2 Network Security
You can implement the following components of the application in different network segments:
■ Client
■ .NET Web/application server
■ NetWeaver application server
7 Network and Communication Security
7.2 Network Security
34/42 PUBLIC 2010-06-15
We recommend any of the following three environments, based on your on your technical
requirements.
■ All components in one network zone (LAN)
■ Client in Internet zone, while all server side components (.NET application server and NetWeaver
tier) are in one zone (LAN)
■ Client in Internet zone, .NET application server in DMZ, and the NetWeaver tier in a different
zone
NOTE
The NetWeaver tier includes a database server and an optional BIA, therefore we support a
NetWeaver application server, and a NetWeaver database and BIA in a different network zone.
7 Network and Communication Security
7.2 Network Security
2010-06-15 PUBLIC 35/42
This page is left blank for documents that are printed on both sides.
8 Data Storage Security
In Planning and Consolidation, user data is stored in Active Directory, and authorization data is stored
in the SAP NetWeaver database.
Business data is loaded by end users and administrators and stored in the SAP database.
Some configuration data is loaded upon system installation; the configuration file is located on the .NET
server tier in \PC\Websrvr\web\ServerConfiguration.config. The system is pre-configured to provide a
substantial level of data protection, but you should also make sure that no one has access to the service
accounts defined during the installation.
The system uses a client-side file system to store metadata and template data temporarily because read,
write, delete, change, and query access for existing data may be required. This data is stored in the local
file system of the client within the \MyDocuments\OutlookSoft directory. We recommend that only end
users and administrators have access to this directory.
Since Interface for the Web uses a browser as its interface, it uses cookies to store front-end metadata
and configuration information during individual user sessions. This data requires no special protection,
and no special measures to protect the cookies are necessary.
8 Data Storage Security
2010-06-15 PUBLIC 37/42
This page is left blank for documents that are printed on both sides.
9 Dispensable Functions that Affect Security
Planning and Consolidation uses the following system resources:
■ Client tier — File system, system components, operating system
■ .NET server tier — System components, operating system
■ ABAP server — System components, operating system
There are no administration tools or installation tools that can be deleted after installation.
Server Installation
For the server installation, all functional modules are necessary and are used at runtime.
An installation contains a default application set named ApShell. This is the only component you can
remove after you complete your own application set development.
Client Installation
A Planning and Consolidation installation includes a Microsoft Office client and an Administration
client for different kinds of end users. Users can install one or both.
9 Dispensable Functions that Affect Security
2010-06-15 PUBLIC 39/42
This page is left blank for documents that are printed on both sides.
10 Trace and Log Files
Every day the system creates two log files: one that contains information about server operations, and
one that contains information about client operations. The format of log files is log<date>.txt.
The log files for the .NET application and web server are stored in <c:>\PC_NW\Logging on the server
machine. The log files for the client are stored in <c:>\Documents and Settings\<username>\My
Documents\Planning and Consolidation\Logging on the client machine.
Trace files are located in <c:>\PC_NW>\Logging\ trace. They are named BPCTRACEx.LOG, where x
is a number between 0 and 9, such as BPCTRACE.5.LOG.
10 Trace and Log Files
2010-06-15 PUBLIC 41/42
SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com
© Copyright 2010 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.