Vous êtes sur la page 1sur 62

Security Guide

SAP Supplier Relationship Management powered by SAP


NetWeaver
Target Audience
n System administrators
n Technology consultants

PUBLIC
Document version: 1.1 10/28/2009

Document History

Caution

Before you start the implementation, make sure you have the latest version of this document. You
can find the latest version at the following location: http://service.sap.com/securityguide.
The following table provides an overview of the most important document changes.
Version

Date

Description

1.1

10/28/2009

Information on the Catalog Content Management business scenario added to


section 2.5 Software Component Matrix

2/62

PUBLIC

10/28/2009

Table of Contents

Chapter 1
1.1
1.2

Introduction . . . . . . . . . . . . . . . . . . . . . . .
Target Audience . . . . . . . . . . . . . . . . . . . . . . .
About this Document . . . . . . . . . . . . . . . . . . . . .

Chapter 2
2.1
2.2
2.3
2.4
2.5
2.6

Before You Start . . . . . . . . . . . . . .


Fundamental Security Guides . . . . . . . . . .
Important SAP Notes . . . . . . . . . . . . .
Additional Information . . . . . . . . . . . .
Overview of the Business Scenarios . . . . . . . .
Software Component Matrix . . . . . . . . . .
SAP SRM Business Scenarios and Relevant Components

.
.
.
.
.
.
.

7
7
9
9
10
10
10

Chapter 3
3.1
3.2

Technical System Landscape Information . . . . . . . . . . . .


Technical System Landscape . . . . . . . . . . . . . . . . . .
Architecture . . . . . . . . . . . . . . . . . . . . . . . .

21
21
21

Chapter 4
4.1
4.2
4.3

Network and Communication Security


Communication Channel Security . . .
Network Security . . . . . . . . .
Communication Destinations . . . . .

.
.
.
.

27
27
30
30

Chapter 5
5.1

Data Storage Security Information . . . . . . . . . . . . . . .


Data Storage Security . . . . . . . . . . . . . . . . . . . . .

31
31

Chapter 6

Auditing and Logging . . . . . . . . . . . . . . . . . . . .

33

Chapter 7
7.1
7.2
7.3

User Administration and Authentication Information


User Administration and Authentication . . . . . . .
User Management . . . . . . . . . . . . . . .
Integration into Single Sign-On Landscapes . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

41
41
41
42

Chapter 8
8.1
8.2
8.3

Authorization Information . . . . . . . . . . . . . . .
Authorizations . . . . . . . . . . . . . . . . . . . .
ABAP Roles for SAP SRM Server 7.0 . . . . . . . . . . . . .
ABAP Roles for SAP SRM Server 7.0 (Procurement for Public Sector) .

.
.
.
.

.
.
.
.

.
.
.
.

43
43
43
44

10/28/2009

PUBLIC

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

5
5
5

3/62

8.4
8.5
8.6
8.7

ABAP Roles for SAP SRM 7.0 (SUS) . . . . . . . . .


Portal Roles (for NetWeaver Portal 7.01) . . . . . . .
Changes to the Authorization Check . . . . . . . .
Business Add-In to Restrict Visibility of Product Categories

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

45
46
47
47

Chapter 9
9.1
9.2
9.3
9.4

Appendix . . . . . . . . . . . .
Data Privacy Statement . . . . . . .
Virus Checking of Document Attachments
Additional Related Guides . . . . . .
Additional Information . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

49
49
50
50
50

Chapter A
A.1

Reference . . . . . . . . . . . . . . . . . . . . . . . . .
The Main SAP Documentation Types . . . . . . . . . . . . . . .

55
55

4/62

PUBLIC

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

10/28/2009

Introduction

1 Introduction

1.1 Target Audience


n Technology consultants
n System administrators
This document is not included as part of the installation guides, SAP Solution Manager content
(configuration information), technical operation manuals, or upgrade guides. Such guides are only
relevant for a certain phase of the software life cycle, whereby the security guides provide information
that is relevant for all life cycle phases.
For more a more detailed overview of business scenarios, including graphical representations, see
SAP SRM Master Guide at http://service.sap.com/instguides Installation and Upgrade Guides
SAP Business Suite Applications SAP SRM SAP SRM Server 7.0 .

1.2 About this Document


This security guide provides information for the individual SAP Supplier Relationship Management
(SAP SRM) components.
In many cases, the required information has already been provided in other security guides and in
the configuration information or installation guides. In these cases, we have provided a reference to
the appropriate guides.
Security in the context of an SAP SRM solution comprises the following aspects:
User authentication
Support of Single Sign-On
Administration and checking of user authorizations to prevent unauthorized access to saved data
Secure data transfer between users and the SAP SRM application components, especially in the
case of browser-based access via the Internet
n General access control, including protection of the system against unauthorized external access
n Safeguarding of data against unauthorized access when business data is being exchanged between
SAP SRM and external systems, especially in the case of data exchange with supplier systems
via the Internet
n
n
n
n

The individual components of the SAP SRM solution are based on the standard technology of SAP
NetWeaver, like SAP Web Application Server, ABAP Web Dynpro and SAProuter. This means that

10/28/2009

PUBLIC

5/62

1
1.2

Introduction
About this Document

only the official precepts of the SAP security strategy are used. The standard tools and mechanisms of
the SAP NetWeaver platform are used.
This Security Guide focuses on specific SAP SRM implementations the standard case is covered by
the security guides of the respective basis technologies.

6/62

PUBLIC

10/28/2009

Before You Start

2 Before You Start

2.1 Fundamental Security Guides


SAP SRM is built on the technology of SAP NetWeaver. Therefore, the corresponding security
guides also apply to the SAP SRM solution. Pay particular attention to the most relevant sections as
indicated in the table below.
Fundamental Security Guides

Scenario, Application or Component Security


Guide

Most-Relevant Sections

SAP NetWeaver Security Guide

See http://help.sap.com SAP NetWeaver SAP


NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide

Introduction to Security with the SAP NetWeaver Platform

Topic

See

Technical System Landscape

http://help.sap.com
SAP NetWeaver SAP
NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Technical System
Landscape

User Administration and Authentication

http://help.sap.com
SAP NetWeaver SAP
NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide User Administration and
Authentication

Network and Transport Layer Security

http://help.sap.com
SAP NetWeaver SAP
NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Network and Community
Security

Secure Programming

Secure Programming - ABAP

10/28/2009

PUBLIC

7/62

2
2.1

Before You Start


Fundamental Security Guides

Security Guides for SAP NetWeaver According to Usage Types

Usage Type

See

Application Server (AS)

SAP NetWeaver Application Server ABAP Security


Guide at http://help.sap.com SAP NetWeaver
SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP
NetWeaver According to Usage Types Security Guide for
Usage Type AS SAP NetWeaver Application Server ABAP
Security Guide
SAP NetWeaver Application Server Java Security
Guide at http://help.sap.com SAP NetWeaver
SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP
NetWeaver According to Usage Types Security Guide for
Usage Type AS SAP NetWeaver Application Server Java
Security Guide
Virus Protection and SAP GUI Integrity Checks at
http://help.sap.com
SAP NetWeaver SAP
NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP
NetWeaver According to Usage Types Security Guide for
Usage Type AS Virus Protection and SAP GUI Integrity
Checks

SAP NetWeaver Enterprise Portal (EP)

Portal Security Guide at http://help.sap.com


SAP NetWeaver SAP NetWeaver Including Enhancement
Package 1 System Administration Security Guide
Security Guides for Usage Types EPC and EP

Business Intelligence (BI)

Security Guide for SAP NetWeaver Business


Intelligence (BI) at
http://help.sap.com
SAP NetWeaver SAP
NetWeaver Including Enhancement Package 1 System
Administration Security Guide Security Guide for Usage
Type BI

Process Integration (PI)

SAP NetWeaver Process Integration (PI) at


http://help.sap.com
SAP NetWeaver SAP
NetWeaver Including Enhancement Package 1 System
Administration Security Guide Security Guide for Usage
Type PI

8/62

PUBLIC

10/28/2009

2
2.2

Before You Start


Important SAP Notes

Security Guides for Standalone Engines

Engine

See

Search and Classification (TREX)

Search and Classification (TREX) Security Guide


http://help.sap.com
SAP NetWeaver SAP
NetWeaver Including Enhancement Package 1 System
Administration Security Guide Security Guides for
Standalone Engines, Clients and Tools Search and Classification
(TREX) Security Guide

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at
http://service.sap.com/securityguide.

2.2 Important SAP Notes


The most important SAP Notes that apply to SAP SRM are shown in the table below:
SAP Note Number

Title

39267

Availability of the SAP Security Guide

843740

Data protection text for supplier maintenance

Note

For more SAP Notes on security, see SAP Service Marketplace at


http://service.sap.com/security
SAP Security Notes SAP Notes on SAP Security
for the application area BC-JAS-SEC and BC-SEC.

or the notes

2.3 Additional Information


For more information about specific topics, see the Quick Links as shown in the table below.
Content

Quick Links on the SAP Service Marketplace

Security

http://service.sap.com/security

Security Guides

http://service.sap.com/securityguide

Related SAP Notes

http://service.sap.com/notes

Released platforms

http://service.sap.com/platforms

Network security

http://service.sap.com/securityguide

SAP Solution Manager

http://service.sap.com/solutionmanager

10/28/2009

PUBLIC

9/62

2
2.4

Before You Start


Overview of the Business Scenarios

2.4 Overview of the Business Scenarios


Before you start the security setup, you need to decide which SAP SRM components need to be
installed. You should also have carried out a rough sizing exercise to answer questions on the
technical setup.
You can use this Security Guide to define the network structure, for example, firewalls, routers, load
balancing, protocols used, and the necessary configuration of the components, as well as a concept
for user administration.
In this section, you can find the Software Component Matrix, and details of the components used for
each business scenario.
Note

For more information about the business scenarios, see the SAP SRM Master Guide on SAP Service
Marketplace at http://service.sap.com/instguides Installation and Upgrade Guides SAP Business
Suite Applications SAP SRM SAP SRM Server 7.0 .

2.5 Software Component Matrix


For information about the software components of SAP SRM, see the SAP SRM 7.0 Master Guide
at http://service.sap.com/instguides Installation and Upgrade Guides SAP Business Suite
Applictations SAP SRM SAP SRM Server 7.0 .

2.6 SAP SRM Business Scenarios and Relevant Components


The following section provides an overview of the business scenarios of SAP SRM and a textual
description of the relevant components:
n
n
n
n
n
n
n
n
n
n

Contract Management
Service Procurement
Strategic Sourcing
Plan-Driven Procurement
Catalog Content Management (SRM-MDM Catalog)
Self-Service Procurement
Spend Analysis
Supplier Qualification
Procurement for Public Sector
Supplier Self-Services

10/62

PUBLIC

10/28/2009

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

Contract Management

Contract Management enables your purchasers to create, change, and monitor purchasing contracts.
They can use the catalogs provided by SAP SRM-MDM Catalog to add items to contracts. SAP NW
7.00 BI Content 7.04 is used to carry out evaluations. SAP NetWeaver Usage Type Process Integration
(SAP NW PI) is also necessary in this business scenario to upload external flat files for product category
hierarchies and supplier hierarchies.
The SAP SRM Server Web front-end uses ABAP Web Dynpro technology. The Web front-end of SAP
SRM-MDM Catalog 3.0 uses Java Web Dynpro technology. SAP NetWeaver Business Intelligence is
realized using Business Server Pages (BSP) technology.
Depending on the requirements of the SAP SRM 7.0 installation (should SAP SRM Server be available
via the Internet?) and depending on the internal Security Policy, the following has to be carried out:
n SAP SRM Server 7.0
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP SRM-MDM Catalog 3.0:
Enable SAP Web AS Java 7.01 SSL (See Transport Layer Security on the SAP J2EE
See the documentation on Transport Layer Security in the SAP Netweaver Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1
System Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types Security
Guide for Usage Type AS SAP NetWeaver Application Server Java Security Guide .
n SAP NW 7.01 BI:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from SAP
NetWeaver Business Intelligence 7.01
n Configure SSO between SAP SRM Server 7.0, SAP SRM-MDM Catalog 3.0 and SAP NetWeaver
Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server/backend system and SAP
NetWeaver Business Intelligence 7.01
n If necessary, connect SAP SRM Server 7.0, SAP SRM Server 7.0 (SUS), and SAP SRM-MDM Catalog
via HTTPS and FTPS and SNC to SAP NetWeaver Usage Type Process Integration (SAP NW PI).
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security

10/28/2009

PUBLIC

11/62

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

Service Procurement

This business scenario is used to cover the entire service procurement process.
The SAP SRM Server (SUS) web front-end uses Business Server Pages (BSP) technology.
Necessary steps:
n SAP SRM Server 7.0 (SUS):
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0 (SUS)
Depending on whether SAP SRM Server is also to be made available via the internet, or depending on
the internal Security Policy, the following might also be necessary:
n SAP SRM Server 7.0:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP SRM-MDM Catalog 3.0:
Enable SAP Web AS 7.01 Java SSL (configure HTTPS protocol)
n SAP NetWeaver Business Intelligence 7.01:
Enable SAP Web AS 7.01 SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from SAP
NetWeaver Business Intelligence 7.01
n Configure SSO between SAP SRM Server 7.0, SAP SRM-MDM Catalog 3.0 and SAP NetWeaver
Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP
NetWeaver Business Intelligence 7.01
n If necessary, connect SAP SRM Server 7.0, SAP SRM Server 7.0 (SUS), and SAP SRM-MDM Catalog
via HTTPS and FTPS and SNC to SAP NetWeaver Usage Type Process Integration (SAP NW PI)
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security
Note

The SAP SRM@ERP2005 business scenario Supplier Self-Registration is identical to the above business
scenario Service Procurement in the SAP SRM standard.

12/62

PUBLIC

10/28/2009

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

Strategic Sourcing

Within Strategic Sourcing, RFxs are created in SAP SRM Server and suppliers are invited to participate in
these RFxs by submitting bids. Bid invitations can also be converted into live auctions. Live auctions
occur in SAP Live Auction Cockpit (LAC) WPS. SAP LAC WPS consists of a server part running on an
SAP J2EE 7.01 engine and a Java applet that communicates with the server. The Java applet is loaded
into the browser of the user and is executed locally.
Necessary steps:
n SAP SRM Server 7.0 (Bidding Engine):
Enable SAP Web AS ABAP 7.01 SSL (configure HTTPS protocol)
n SAP LAC WPS 7.0
Enable SAP Web AS Java 7.01 SSL
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0 (Bidding Engine)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
for SAP LAC WPS 7.0
Optional (if components are accessed via the Internet or if the Intranet Security Policy requires
usage of HTTPS):
n Enable SAP SRM-MDM Catalog 3.0: SAP Web AS 7.01 Java SSL (configure HTTPS protocol)
n Enable SAP NW 7.01 BI: SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP NW 7.01 BI
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP BI 7.01
Note
Integration to C-Folders

In Case of collaborative bidding processes, Strategic Sourcing scenario supports integration to


C-Folders. In the productive environment, the SAP SRM system is located in Intranet Zone, while
C-Folder is in DMZ Zone.
Setting up an RFC connection between SAP SRM and the C-Folders system is a potential security
risk because it opens a system connection from outside (DMZ) the intranet.
However, this connection can be additionally protected by placing an SAProuter between the systems
to cross the intranet border in a controlled manner.
The system connection will be used exclusively for the RFC protocol. HTTP is not necessary.
For more information, se the SAP cProjects Suite Security Guides at
http://service.sap.com/security guide.

10/28/2009

PUBLIC

13/62

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

Plan-Driven Procurement

Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes for
regularly-needed core materials. Suppliers can process purchase orders directly in SAP SRM Server
(SUS). The purchase orders are transferred to SAP SRM Server (SUS) from the back-end system via
SAP NetWeaver Usage Type Process Integration (SAP NW PI).
The Web front-end of SAP SRM Server (SUS) is realized using Business Server Pages (BSP) technology.
Since suppliers log on to SAP SRM Server (SUS) via the Internet, we strongly recommend the use of
the HTTPS protocol for SAP SRM Server (SUS).
Necessary steps:
n SAP SRM Server 7.0 (SUS):
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0 (SUS)
If SAP SRM Server is also to be accessed via the Internet, or depending on the internal Security
Policy, it might be necessary to do the following:
n SAP SRM Server 7.0:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP NetWeaver Business Intelligence 7.01:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAPNetWeaver Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP
NetWeaver Business Intelligence 7.01
n If necessary, connect SAP SRM Server 7.0, SAP SRM Server 7.0 (SUS), and SAP SRM-MDM Catalog
via HTTPS and FTPS and SNC to SAP NetWeaver Usage Type Process Integration (SAP NW PI)
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security
Catalog Management (SAP SRM-MDM Catalog)

The SAP SRM-MDM Catalog UI is realized using Java Web Dynpro technology. Catalogs can be
uploaded via the file system using the MDM Import Manager in XML or Excel formats. Contract
data can be loaded via SAP NetWeaver Usage Type Process Integration (SAP NW PI) and the MDM
Import Manager from SAP SRM Server system.

14/62

PUBLIC

10/28/2009

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

In the scope of a procurement process, transfer of product data from SAP SRM-MDM Catalog to SAP
SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI) specification
via the user browser.
Necessary steps:
n Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Enable SAP Web AS 7.01 Java SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n If necessary, connect SAP SRM-MDM Catalog via FTPS to SAP NetWeaver Usage Type Process
Integration (SAP NW PI)
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security
For MDM Security related information, refer to SAP Service Marketplace at
http://service.sap.com/installmdm
Self-Service Procurement

Self-Service Procurement (Indirect Procurement) enables your employees to create and manage their
own requirement requests. They can search in catalogs provided by SAP SRM-MDM Catalog. SAP
NW 7.00 BI Content 7.04 is used to carry out evaluations.
Depending on the requirements of the SAP SRM 7.0 installation (should SAP SRM Server be available
via the Internet?) and depending on the internal Security Policy, the following has to be carried out:
n SAP SRM Server 7.0:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP SRM-MDM Catalog 3.0:
Enable SAP Web AS 7.01 Java SSL (configure HTTPS protocol)
n SAP NetWeaver Business Intelligence 7.01: Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS
protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n Configure SAP NetWeaver ENterprise Portal (EP 7.01) for secure access/connection to and from
SAP NetWeaver Business Intelligence 7.01
n Configure SSO between SAP SRM Server 7.0, SAP SRM-MDM Catalog 3.0 and SAP NetWeaver
Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system

10/28/2009

PUBLIC

15/62

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP
NetWeaver Business Intelligence 7.01
Note

The Extended Self-Service Procurement business scenario is almost the same as the standard Self-Service
Procurement business scenario, except that it is extended by a SUS system that is connected to
the SAP ECC system.
Spend Analysis

SAP SRM 7.0 enables you to consolidate data in SAP NetWeaver Business Intelligence and to carry out
evaluations. The data for this comes from SAP SRM Server or its back-end system via RFC/SNC. Users
access the reports via a Web front-end that is realized using BSP technology.
Note

If SAP NetWeaver Business Intelligence reports are also made available to suppliers, SAP NetWeaver
Business Intelligence has to be accessible via the Internet. If it is only available to the purchasers, it
depends on the individual realization of the scenario:
n Should the SAP SRM system landscape be available to the purchasers with the Internet or only
with the Intranet?
n Does the internal security policy require that HTTPS be used for all Web-based applications?
Necessary steps:
n Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from SAP
SRM-MDM Catalog
n If necessary, configure SNC between SAP SRM Server/back-end system and SAP Business
Intelligence
Supplier Qualification

The business scenario Supplier Qualification provides functions that enable suppliers to register
themselves with your company, maintain their master data and access procurement documents.
The Web front-end of SAP SRM Server (SUS) is realized using Business Server Pages (BSP) technology.
Since suppliers log on to SAP SRM Server (SUS) via the Internet, we strongly recommend the use of
the HTTPS protocol for SAP SRM Server (SUS).
Necessary steps:
n SAP SRM Server 7.0 (SUS):
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0 (SUS)

16/62

PUBLIC

10/28/2009

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

If SAP SRM Server is also to be accessed via the Internet, or depending on the internal Security
Policy, it might be necessary to do the following:
n SAP SRM Server 7.0:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP NetWeaver Business Intelligence 7.01:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from SAP
NetWeaver Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP
NetWeaver Business Intelligence 7.01
n If necessary, connect SAP SRM Server 7.0, SAP SRM Server 7.0 (SUS), and SAP SRM-MDM Catalog
via HTTPS and FTPS and SNC to SAP NetWeaver Usage Type Process Integration (SAP NW PI).
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security
Procurement for Public Sector

For SAP Procurement for Public Sector, SAP SRM must be deployed as an extended classic scenario.
Multi back-end deployment is not supported for SAP Procurement for Public Sector.
The Security guidelines are relevant for the following PPS scenarios:
n
n
n
n

Public Sourcing and Tendering


Contract Management and Administration
Operational Procurement
Procurement Services

There are other components like Document builder 3.0 that can be used for creating documents. SAP
SRM-MDM Catalog 3.0, that can be used to add items from public catalogs into documents, and SAP
NetWeaver Business Intelligence 7.01, that can be used to carry out evaluations.
The SAP SRM Server Web front-end uses ABAP Web Dynpro technology. The Web front-end of SAP
SRM-MDM Catalog 3.0 uses Java Web Dynpro technology. SAP NetWeaver Business Intelligence is
realized using Business Server Pages (BSP) technology and Java-WebDynpro.
Depending on the requirements of the SRM 7.0 installation (should SAP SRM Server be available via
the Internet?) and depending on the internal Security Policy, the following has to be carried out:
n Role based access can be provided to the users for accessing specific PPS functions using the
Procurement role that is part of SRM 7.0 Business Package (EP 7.01)

10/28/2009

PUBLIC

17/62

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

n SAP Document builder 3.0 can be integrated to the SRM Server using the Web services technology
or via SAP NetWeaver Usage Type Process Integration (SAP NW PI). (Configure HTTPS protocol
for URL)
n SAP SRM Server 7.0:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n SAP SRM-MDM Catalog 3.0:
Enable SAP Web AS 7.01 Java SSL (configure HTTPS protocol)
n SAP NetWeaver Business Intelligence 7.01:
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM-MDM Catalog 3.0
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from SAP
NetWeaver Business Intelligence 7.01
n Configure SSO between SAP SRM Server 7.0, SAP SRM-MDM Catalog 3.0 and SAP NetWeaver
Business Intelligence 7.01
n If necessary, configure SNC connections between SAP SRM Server and the back-end system
n If necessary, configure SNC connections between SAP SRM Server and the document builder
3.0 system
n If necessary, configure SNC connections between SAP SRM Server/back-end system and SAP
NetWeaver Business Intelligence 7.01
Supplier Self Services

Supplier Self Services component is part of Service Procurement and Plan-Driven Procurement
scenario. Depending upon the landscape deployment the component can be positioned in the
intranet or the DMZ. Based on the deployment the security consideration has to be implemented:
Behind the Firewall Scenario

SUS can be deployed either on a separate server or on the SAP SRM Server. When deployed in the SAP
SRM Server, SUS can be activated in the same client or in a different client. Due to security reasons
we do not recommend having SUS in the same client in the SAP SRM Server in your productive
environment. n all cases it is mandatory to haveSAP NetWeaver Usage Type Process Integration (SAP
NW PI) to integrate between SAP SRM Server and SAP SRM Server SUS.
For more information, see SAP Note 573383 .
Similarly, for Behind the Firewall deployment for Plan Driver Procurement Scenario, SUS can be
positioned either in a separate server or as an add-on in the same server as the SAP ERP Server.
For more information, see SAP Note 963000 .
Web front-end of SAP SRM Server (SUS) is realized using Business Server Pages (BSP) technology.
Since suppliers log on to SAP SRM Server (SUS) with the Internet, we strongly recommend the use of
the HTTPS protocol for SAP SRM Server (SUS).
SUS Server Outside the Firewall Scenario

18/62

PUBLIC

10/28/2009

2
2.6

Before You Start


SAP SRM Business Scenarios and Relevant Components

In this case, it is only possible to Implement SUS in a separate server as connection to procurement
systems is achieved using SAP NetWeaver Usage Type Process Integration (SAP NW PI).
Necessary steps:
n SAP SRM Server 7.0 (SUS):
Enable SAP Web AS 7.01 ABAP SSL (configure HTTPS protocol)
n Configure SAP NetWeaver Enterprise Portal (EP 7.01) for secure access/connection to and from
SAP SRM Server 7.0 (SUS)
n If necessary, connect SAP SRM Server 7.0 and SAP SRM Server 7.0 (SUS) via HTTPS and SNC to
SAP NetWeaver Usage Type Process Integration (SAP NW PI)
n If necessary configure SNC connections between SAP NetWeaver Usage Type Process Integration
(SAP NW PI) and the back-end system.
For more information, see SAP NetWeaver Process Integration Security Guide at
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package
1 System Administration Security Guide and Network and Communication Security at
http://help.sap.com
SAP NetWeaver SAP NetWeaver Including Enhancement Package 1 System
Administration Security Guide Network and Communication Security

10/28/2009

PUBLIC

19/62

This page is left blank for documents


that are printed on both sides.

Technical System Landscape Information

3 Technical System Landscape


Information

3.1 Technical System Landscape


SAP SRM supports various presentation technologies on which the individual SAP SRM components
run and via which user access and data transfer occurs. The architecture, determined by the
respective presentation technology, is crucial for the security of an SAP SRM system. The architecture
determines the security concept.

3.2 Architecture
The architecture of an SAP SRM system landscape is heavily dependent on the security measures that
are in turn determined by the data to be transferred and the data channels.
In an SAP SRM system landscape, there are two types of channels for data exchanges and which
require careful attention in terms of provision of security during data exchange via external interfaces:
n Exchange of data via external user interfaces
n Exchange of data/documents via external system interfaces
In both cases, the SAP SRM security concept incorporates a Demilitarized Zone (DMZ) that is
delimited by an internal and an external firewall. Within the DMZ there is an application gateway.
Recommendation

We recommend that you use SAP Web Dispatcher. URLs and ports for the systems behind the internal
firewall can be configured in any way and are not known to users outside of the external firewall.
In this way, the SAP SRM security concept follows the usual SAP security standards that are used
on a world-wide basis.
For more information about the SAP Web Dispatcher security, see http://help.sap.com SAP
NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security Guide
Security Guides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and other
Development Technologies Security Issues in Web Dynpro for ABAP .
Exchange of Data via External User Interfaces

Data exchange via external user interfaces occurs in SAP SRM in the following ways:

10/28/2009

PUBLIC

21/62

3
3.2

Technical System Landscape Information


Architecture

n Data exchange via the application gateway using ABAP Web Dynpro Applications or Business
Server Pages (BSP) technology
BSP is used for Supplier Self-Services (SUS) and Supplier Registration (ROS)
n Data exchange via Java applet Live Auction Cockpit WPS (also via application gateway)
Data Exchange via the Application Gateway for Applications with Web Frontends

The following SAP SRM scenarios, where the Web front-end is based on ABAP Web Dynpro or BSP
technology, work on this principle:
n
n
n
n
n
n
n

Self-Service Procurement
Plan-Driven Procurement
Service Procurement
Catalog Content Management
Spend Analysis
Strategic Sourcing with Bidding Engine but without LAC WPS
Contract Management

Basic Representation of the Communication Paths of the SRM Components to the Outside
via the Application Gateway
Figure 1:

The SAP Web Dispatcher functions as an application gateway and is used as a "software Web
switch" between the Internet and your SAP SRM Server system, which consists of one or more
Web Application Servers. You therefore have only one point of access for HTTP(S) requests in your

22/62

PUBLIC

10/28/2009

3
3.2

Technical System Landscape Information


Architecture

system. Furthermore, SAP Web Dispatcher balances the load, so that the request is always sent to
the server with the greatest capacity.
For more information about the SAP Web Dispatcher, see http://help.sap.com SAP NetWeaver
SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security Guide Security Guides for
SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and other Development Technologies
Security Issues in Web Dynpro for ABAP .
The SAP SRM security concept, like all other SAP solutions, is entirely based on the general SAP
security standards.
System Landscape Architecture

Figure 2:

For external access a landscape as illustrated in the above figure is recommended. The landscape
enables constraints on accesses to the external facing portal and Web Dynpro applications through a
web dispatcher configuration.
For more information, see also:
n SAP Note 517484
n http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guides
for Usage Types EPC and EP Portal Security Guide

10/28/2009

PUBLIC

23/62

3
3.2

Technical System Landscape Information


Architecture

Data Exchange via Java Applet Live Auction Cockpit WPS

In the SAP SRM business scenario Strategic Sourcing, a Java applet is loaded in the browser of an
external supplier for live auctions (not for auctions via the Sourcing application in SAP SRM Bidding
Engine). This applet communicates with the server part of LAC on the SAP J2EE Engine 7.01 via the
application gateway.
Basic Representation of the Communication Paths of the SAP SRM Components Including
LAC WPS 7.0 to the Outside
Figure 3:

The ABAP Sourcing application allows external suppliers to participate in bid invitations that are
created and evaluated using SAP Bidding Engine. Auctions can be converted into live auctions and
are then processed in LAC.
LAC is a Java component LAC WPS on presentation level whose runtime environment is the J2EE
Engine of SAP Web AS 7.01.
LAC WPS consists of a server part that runs on the J2EE Engine and a Java Applet that is loaded into
the browser of the user and executed locally there. The applet communicates via HTTP(S) with the
server part. The server communicates with SAP SRM Server via RFC. A digitally signed version of the
Java applet for the functions Approval Preview and Follow-On Documents (document history) is available in
addition to the unsigned applet currently in use.
Communication between the Java applet and the LAC WPS server occurs just like any HTTP(S)-based
communication with the Internet via the application gateway that exists in the DMZ. (Each type of
communication with the Internet that occurs via HTTP(S) makes use of the application gateway.)
All security aspects are dealt with by SAP Web AS.

24/62

PUBLIC

10/28/2009

3
3.2

Technical System Landscape Information


Architecture

Exchange of Data/Documents via External System Interfaces

Figure 4:

Exchange of Data/Documents via External System Interfaces

In an SAP SRM system landscape, the SAP NetWeaver Usage Type Process Integration (SAP NW PI) is
used to transfer data in the form of documents via external system interfaces. Here, too, SAP NW PI is
connected to the Internet via the SAP Web Dispatcher located in the DMZ.
All security aspects are dealt with by SAP Web Dispatcher and SAP NW PI.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide Security Guides for SAP NetWeaver According to
Usage Types Security Guides for Usage Type PI .

10/28/2009

PUBLIC

25/62

This page is left blank for documents


that are printed on both sides.

Network and Communication Security

4 Network and Communication Security

4.1 Communication Channel Security


This section deals with measures to protect data transfers from unauthorized access.
Data transfer is by means of HTTPS (SSL encryption) that is also used in SAP system landscapes.
Caution

We recommend using the same protocol either HTTP or HTTPS consistently in all system
objects. This means all the deployed objects have to be configured in exactly the same way regarding
HTTP(S) throughout. This is done especially to avoid problems caused by JavaScript-based
communication between the individual layers.
The mechanisms to use for transport layer security and encryption depend on the protocols used. For
Internet protocols such as HTTP, you can use the Secure Sockets Layer (SSL) protocol to provide the
protection. For SAP protocols such as dialog and RFC, you can use Secure Network Communications.
For more information, see Network Security for SAP Web AS ABAP and Network Security for the
SAP J2EE Engine for an overview of the corresponding SAP Web AS connections and the security
mechanism to use.
We recommend that you consult the following documentation in the SAP NetWeaver Process
Integration Security Guide at http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide and Network and Communication
Security at http://help.sap.com SAP NetWeaver SAP NetWeaver Including Enhancement Package 1
System Administration Security Guide Network and Communication Security .
See the following sections under Network and Communication Security
n Basic Network Topology for SAP Systems
l Network Services
l Using Firewall Systems for Access Control
u Application-Level Gateways Provided by SAP
t Example Network Topology Using an SAProuter
t Example Network Topology When Using SAP Remote Services
l Using Multiple Network Zones
l Transport Layer Security
u Secure Network Communications (SNC)
u SNC-Protected Communication Paths in SAP Systems
l Additional Information on Network Security

10/28/2009

PUBLIC

27/62

4
4.1

Network and Communication Security


Communication Channel Security

Documentation available at http://help.sap.com.


Enabling SSL (HTTPS) for SAP Web Application Server 7.01

This section is relevant for all Web applications that are based on ABAP Web Dynpro or on BSP, that is
all scenarios with the exception of Strategic Sourcing with LAC WPS 7.0.
This safeguards data against unauthorized access when business data is exchanged between SAP SRM
and external systems, especially in the case of data exchange with supplier systems via the Internet.
The electronic exchange of business data between SAP SRM and a connected supplier must also be
protected. Purchase orders and shipping notifications contain confidential information that an
SAP SRM customer wants to protect from unauthorized access. Here also, SAP SRM makes use of
the standard Internet features. With the HTTP adapter, SAP Exchange Infrastructure supports the
Secure HTTP protocol. By means of this protocol, all data is saved during the entire transfer from the
sending system to the receiving system. As far as the automatic authentication of the participating
systems, SAP SRM relies on the exchange of certificates, which guarantees state-of-the-art security.
The communication channels within the SAP SRM system landscape can be made secure using
HTTPS (SSL). However, it only makes sense to use this coding technology to achieve overall security
for the channels.
Before making the SSL settings for the SAP Web AS 7.01, see http://help.sap.com SAP
NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security Guide
Network and Communication Security Transport Layer Security .
SAP NetWeaver Enterprise SAP NetWeaver Enterprise Portal and Web Dynpro SSL Configuration

Enter SSL in SAP NetWeaver Enterprise Portal system maintenance for the SAP SRM system entry and
enable SSL for the SAP NetWeaver Enterprise Portal server as well.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide Network and Communication Security Transport
Layer Security and SAP Note 510007.
Enabling SSL for J2EE 7.01

This section is relevant if you want to implement the SAP SRM scenario Strategic Sourcing with LAC
WPS 7.0 (LAC WPS runs on the J2EE of SAP Web AS 7.01).
For more information about how to configure SSL for LAC WPS 7.0, see http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security Guide
Network and Communication Security .
Secure Connection of Application Systems to SAP NetWeaver Usage Type Process
Integration (SAP NW PI)

All SAP NW PI runtime components using the HTTP protocol support the encryption of the HTTP
data stream by means of the SSL protocol, also known as HTTPS.
Depending on the protocol used, all data (including passwords) is transmitted through the network
(Intranet or Internet) in plain text. To maintain the confidentiality of this data, you can apply

28/62

PUBLIC

10/28/2009

4
4.1

Network and Communication Security


Communication Channel Security

transport layer encryption to the connection between the business systems, the integration server,
the adapters, and the Web browser.
Recommendation

We especially recommend that you use encryption when you transmit passwords, orders,
company-specific information or any other data that you consider sensitive.
You can use Secure Sockets Layer (SSL) or Secure Network Communication (SNC) to increase the
security of the following connections:
n
n
n
n

Between adapters and integration server


Between business systems and integration server
Between PCK and integration server
Between business systems and adapters

Adapters, business systems, and Integration Servers communicate with each other using the RFC or
HTTP protocol, which can be secured by SNC or SSL respectively.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide Security Guides for SAP NetWeaver According to
Usage Types Security Guide for Usage Type PI SAP NetWeaver Process and Integration Security Guide .
Integration of SAP SRM Server into SAP NetWeaver Enterprise Portal

Ensure that you have downloaded all of the relevant portal roles for SAP SRM 7.0 from SAP Service
Marketplace at service.sap.com/swdc. Here you can also find the current Business Package for SAP
SRM 7.0.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide Security Guides for SAP NetWeaver According
to Usage Types Network and Communication Security Security Guide for Usage Types EPC and EP Portal
Security Guide .
Caution

n The SAP NetWeaver Enterprise Portal and the connected back-end systems must use the same
protocol (both use HTTP or both use HTTPS; no other combination is possible).
n The SAP NetWeaver Enterprise Portal and the connected back-end system must be in the same
domain.
n If you wish to implement your own SAP SRM Server ABAP Web Dynpro based applications, you
must ensure that the iViews have EPCF level "2".

10/28/2009

PUBLIC

29/62

4
4.2

Network and Communication Security


Network Security

4.2 Network Security


SAP SRM is a solution with many external interfaces, including interfaces to the Internet. This
makes SAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studies
have shown that unauthorized access by internal employees also represents a considerable risk. As
a pure business solution, SAP SRM can offer protection in this regard based on the Authorization
Concept within SAP Web AS.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide User Administration and Authentication
User Management .
SAP SRM is embedded in a comprehensive protection concept that offers protection both on a physical
level and also, through additional firewalls, protected access to all levels of an IT infrastructure.
We recommend protecting the different SAP SRM components using appropriate firewalls. This
includes setting up a DMZ (Demilitarized Zone) that protects all critical components from direct
access via the Internet. Furthermore, we recommend installing protection against access to the entire
data store of the various SAP SRM applications components.
n For more information on firewalls and the relevant settings, see the section
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1
System Administration Security Guide Network and Communication Security Using Firewall Systems for
Access Control .
n For more information on the settings for Security Network Communications (SNC), see
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1
System Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types Security
Guide for Usage Type AS .

4.3 Communication Destinations


All relevant communication destinations (such as RFC, IDoc, and so on) for SAP SRM are described
in SAP Solution Manager. You find this information in the Solution Manager at Configuration SAP
SRM 7.0 Basic Settings .
For more information about the SAP SRM 7.0 Solution Manager content, see SAP Note 1230438.

30/62

PUBLIC

10/28/2009

Data Storage Security Information

5 Data Storage Security Information

5.1 Data Storage Security


SAP SRM runs using SAP standard technologies only and does not use any external tools. The UI is
realized using ABAP Web Dynpro. This means that there are no persistent cookies and authentication
data beyond the usual amount.
For more information about security aspects of ABAP Web Dynpro, see http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security
Guide Security Guides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and
Other Development Technologies .
Data Storage

Security-relevant and personal data (for users and business partners) is stored in the standard SAP
database tables. Access to these tables is protected by the SAP authorization checks.

10/28/2009

PUBLIC

31/62

This page is left blank for documents


that are printed on both sides.

Auditing and Logging

6 Auditing and Logging

This function allows users to log changes on various SAP objects in order to appraise and retrace
them. To fulfill the legal auditing and logging requirements, SAP NetWeaver provides standard
tools and functions.
For more information about auditing and logging tools, see http://help.sap.com SAP NetWeaver
SAP NetWeaver 7.0 Including Enhancement Package 1 System Administration Security Guide Security Aspects
for System Management Auditing and Logging .
The most relevant items regarding auditing and logging in SAP SRM are specified below:
Version History of SU01-User and Business Partner

SU01-User
Using the standard transaction SU01 under Information Change Documents for Users , a log table is
displayed. This table lists all the actions that have changed user data so far:
Figure 5:

10/28/2009

PUBLIC

33/62

Auditing and Logging

You can also use transaction SUIM to enter the User Information System that provides you with a wide
range of functions relating to user history:
Figure 6:

Business Partner
Using the standard transaction BP, under Extras Change History For This Partner , a log table is
displayed depending on a selected field. The table contains all the changes ever carried out:

34/62

PUBLIC

10/28/2009

Auditing and Logging

Figure 7:

Figure 8:

10/28/2009

PUBLIC

35/62

Auditing and Logging

Figure 9:

Change Documents of Business Documents

Change documents are another logging tool available to you. A change document logs changes to a
business object. You access the change documents by selecting Tracking Change Documents from
within the corresponding business document. This view shows every change made to the business
document down to the field level.

36/62

PUBLIC

10/28/2009

Auditing and Logging

Figure 10:

Change documents for SAP SRM-specific infotypes

Changes for the following set of tab cards in transaction PPOMA_BBP can be monitored by change
documents:
Tab Card

Infotypes

Function

5500 EBP Function

Responsibility

5501 EBP Product Responsibility

Extended Attributes

5502 EBP Location;


5503 EBP Order Value Limits

You activate change documents in the Customizing table T77CDOC_CUST.


The report RHCDOC_DISPLAY enables you to display the change documents created for changes
made to Personnel Planning infotypes.

10/28/2009

PUBLIC

37/62

Auditing and Logging

Figure 11:

Note that if you activate the creation of change documents for all Personnel Planning infotypes, for
example, the system performance deteriorates. Therefore, you should only activate the creation of
change documents for the combination of plan version, object type, and infotype/subtype for which
you require this function.
Application Monitoring

SAP SRM provides a number of application monitors to evaluate various critical system and
document statuses, changes, and errors. The monitoring results are only available in the portal
to the administrator and are presented in graphical form in an iView in the Administration Work
Center. Authorization to view and process alerts is handled by portal role and iView assignment as
well as in authorization object BBP_FUNCT (MON_ALERTS). The monitoring information is read
from the SAP SRM back-end, and is recorded in the Statistic Records in CCMS (monitors under:
SAP Enterprise Buyer Monitors).

38/62

PUBLIC

10/28/2009

Auditing and Logging

Figure 12:

10/28/2009

PUBLIC

39/62

This page is left blank for documents


that are printed on both sides.

User Administration and Authentication Information

7 User Administration and Authentication


Information

7.1 User Administration and Authentication


This section describes how user data is protected from unauthorized access and the aspects of
authorization.
User Administration and Authentication is based on standard SAP NetWeaver Application Server
functionality. At a minimum, users need to be authenticated on the SAP NetWeaver Portal, based
on SAP NetWeaver Application Server Java, and the SAP SRM Server, based on SAP NetWeaver
Application Server ABAP.
For more information about User Administration and Authentication, see:
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide User Administration and Authentication
n http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide
for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide .
n http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types AS SAP
NetWeaver Application Server Java Security Guide User Administration and Authentication ->->
n http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1
System Administration Security Guide Security Guide for Usage Types EPC and EP Portal Security Guide
User Administration and Authentication
n

http://help.sap.com

7.2 User Management


SAP SRM supports user authentication using user accounts and passwords. It also supports
user authentication using X.509 certificates and, this way, integrates seamlessly with public key
infrastructure.
SAP SRM supports SAP SRM Server roles and portal roles.
New users can only be created by the user administrator or by a manager. In the case of
self-registration by new users, the actual release of the new account has to be approved by the user
administrator or manager.

10/28/2009

PUBLIC

41/62

7
7.3

User Administration and Authentication Information


Integration into Single Sign-On Landscapes

7.3 Integration into Single Sign-On Landscapes


Support of Single Sign-On on SAP SRM

SAP SRM consists of a range of different application components, and certain SAP SRM users must
access several of these applications. Therefore, the support of Single Sign-On (SSO) is a significant
benefit. In SAP SRM the standard SSO mechanism is used (the initial application generates the SSO
cookie, which is stored in the users web browser and other applications accept it). For security
reasons, the cookie is placed in the main memory and is automatically deleted as soon as the user
actively logs off or closes the browser. Using this cookie, users can access all SAP SRM applications
for which they are authorized without having to authenticate themselves. When the user accesses
applications based on SAP backend systems, the cookie is converted to an SAP Logon ticket on-the-fly.
Single Sign-On in SAP SRM is supported with the SAP NetWeaver Portal.
For more information on SSO and Authentication Methods on SAP Web AS, see
http://help.sap.com
SAP NetWeaver SAP NetWeaver 7.0 Including Enhancement Package 1 System
Administration Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide for
Usage Type AS SAP NetWeaver Application Server ABAP Security Guide User Authentication .

42/62

PUBLIC

10/28/2009

Authorization Information

8 Authorization Information

8.1 Authorizations
In SAP SRM one or more predefined roles are assigned to each user or user account. Depending on
the role, the user is authorized to carry out certain transactions and access certain data. In addition,
each user or user account is assigned to its company and/or organizational unit. By way of this
assignment, the user inherits additional attributes that further restrict access, for example, employees
may only assign purchase orders to their own cost centers.
In the standard SAP SRM delivery, customers receive predefined role templates that they can extend
or adapt to their specific requirements. The standard roles include roles for managers, employees,
and so on.
Individual users access SAP SRM transactions and data via their browsers and then transfer sensitive
confidential data. This information must be protected against unauthorized access. As standard, this
is taken care of by encoding all data during the transfer from the Web Server to the browser. SAP
SRM follows the standard in this case and supports secure HTTP.
Roles for System Configuration

Users wanting to set up or configure an SAP SRM Server system are assigned to the SAP SRM
Administrator role, which provides them with the required authorizations. The necessary Customizing
authorizations ensure that these setup users are able to carry out IMG projects.
For more information, see http://help.sap.com SAP NetWeaver SAP NetWeaver 7.0 Including
Enhancement Package 1 System Administration Security Guide User Administration and Authentication
User Management .
Caution

SAP SRM does not supply separate Customizing or setup roles. Instead, you should use the functions
provided in Role Maintenance (transaction PFCG). Here you can define a role corresponding
to your individual IMG project with all the authorizations you need to access the corresponding
IMG activities.

8.2 ABAP Roles for SAP SRM Server 7.0


The following roles are delivered:

10/28/2009

PUBLIC

43/62

8
8.3

Authorization Information
ABAP Roles for SAP SRM Server 7.0 (Procurement for Public Sector)

Technical Name

Description

/SAPSRM/ACCOUNTANT

SAP SRM: Invoice Verification Clerk

/SAPSRM/ADMINISTRATOR

SAP SRM: Administrator

/SAPSRM/BIDDER

SAP SRM: Bidder

/SAPSRM/EMPLOYEE

SAP SRM: Employee

/SAPSRM/EMPLOYEE_SAVE

SAP SRM: Employee

/SAPSRM/ENTERPRISE_SERVICES

SAP SRM: Authorization for accessing SRM Enterprise


Services

/SAPSRM/MANAGER

SAP SRM: Manager

/SAPSRM/OP_PURCHASER

SAP SRM: Operational Purchaser

/SAPSRM/PLANNER

SAP SRM: Component Planner

/SAPSRM/RECIPIENT

SAP SRM: Internal Dispatcher

/SAPSRM/SECRETARY

SAP SRM: Purchasing Assistant

/SAPSRM/ST_PURCHASER

SAP SRM: Strategic Purchaser

/SAPSRM/SUPPLIER

SAP SRM: Supplier

/SAPSRM/SURVEY_OWNER

SAP SRM: Survey Responsible

/SAPSRM/SURVEY_REVIEWER

SAP SRM: Survey Reviewer

With SAP SRM 7.0 a new naming convention has been introduced. All roles related to SAP SRM
Server 7.0 are in the namespace /SAPSRM/*.
All the roles have been redefined, and all unnecessary authorizations have been deleted. This means,
the roles must be copied to the customer namespace, and must be maintained there.

8.3 ABAP Roles for SAP SRM Server 7.0 (Procurement for
Public Sector)
Technical Name

Description

/SAPSRM/SUS_ADMIN_PURCHASER

SAP SRM SUS: Administrator Purchaser

/SAPSRM/SUS_ADMIN_SUPPLIER

SAP SRM SUS: Administrator Supplier

/SAPSRM/SUS_BIDDER

SAP SRM SUS: Bidder

/SAPSRM/SUS_DISPATCHER

SAP SRM SUS: Dispatcher

/SAPSRM/SUS_INVOICER

SAP SRM SUS: Invoicing Party

/SAPSRM/SUS_MANAGER

SAP SRM SUS: Manager

/SAPSRM/SUS_ORDER_PROCESSOR

SAP SRM SUS: Order Processor

44/62

PUBLIC

10/28/2009

8
8.4

Authorization Information
ABAP Roles for SAP SRM 7.0 (SUS)

Technical Name

Description

/SAPSRM/SUS_ROS_PROCESSOR

SAP SRM SUS: Supplier Screener

/SAPSRM/SUS_SAR_PROCESSOR

SAP SRM SUS: Scheduling Agreement Release


Processor

/SAPSRM/SUS_SERVICE_AGENT

SAP SRM SUS: Service Agent

/SAPSRM/SUS_SERVICE_MANAGER

SAP SRM SUS: Central Service Entry Clerk

/SAPPSSRM/BIDDER

SAP SRM PPS: Bidder

/SAPPSSRM/EMPLOYEE

SAP SRM PPS: Employee

/SAPPSSRM/MANAGER

SAP SRM PPS: Manager

/SAPPSSRM/PROCUREMENT

SAP SRM PPS: Procurement

/SAPPSSRM/REQUISITIONING

SAP SRM PPS: Requisitioning

With SAP SRM 7.0 a new naming convention has been introduced. All roles related to SAP SRM 7.0
(Procurement for Public Sector) are in the namespace /SAPPSSRM/*.
All the roles have been cleaned out, and all unnecessary authorizations have been deleted. This
means, the roles must be copied to the customer namespace, and must be maintained there.
Furthermore, all * have been removed.

8.4 ABAP Roles for SAP SRM 7.0 (SUS)


The following roles are delivered:
Technical Name

Description

/SAPSRM/SUS_ADMIN_PURCHASER

SAP SRM SUS: Administrator Purchaser

/SAPSRM/SUS_ADMIN_SUPPLIER

SAP SRM SUS: Administrator Supplier

/SAPSRM/SUS_BIDDER

SAP SRM SUS: Bidder

/SAPSRM/SUS_DISPATCHER

SAP SRM SUS: Dispatcher

/SAPSRM/SUS_INVOICER

SAP SRM SUS: Invoicing Party

/SAPSRM/SUS_MANAGER

SAP SRM SUS: Manager

/SAPSRM/SUS_ORDER_PROCESSOR

SAP SRM SUS: Order Processor

/SAPSRM/SUS_ROS_PROCESSOR

SAP SRM SUS: Supplier Screener

/SAPSRM/SUS_SAR_PROCESSOR

SAP SRM SUS: Scheduling Agreement Release


Processor

/SAPSRM/SUS_SERVICE_AGENT

SAP SRM SUS: Service Agent

/SAPSRM/SUS_SERVICE_MANAGER

SAP SRM SUS: Central Service Entry Clerk

10/28/2009

PUBLIC

45/62

8
8.5

Authorization Information
Portal Roles (for NetWeaver Portal 7.01)

With SAP SRM 7.0 a new naming convention has been introduced. All roles related to SAP SRM 7.0
(SUS) are in the namespace /SAPSRM/SUS_*.
All the roles have been cleaned out, and all unnecessary authorizations have been deleted. This
means, the roles must be copied to the customer namespace, and must be maintained there.
Furthermore all * have been removed.

8.5 Portal Roles (for NetWeaver Portal 7.01)


The following roles are delivered:
Technical Name

Description

com.sap.pct.srm.com.ro_srmportaltoolkit

SRM Portal Toolkit

com.sap.pct.srm.core.ro_bidder

Bidder

com.sap.pct.srm.core.ro_componentplanner

Component Planner

com.sap.pct.srm.core.ro_employeeselfservice

Employee Self-Service

com.sap.pct.srm.core.ro_goodsrecipient

Goods Recipient

com.sap.pct.srm.core.ro_invoicer

Invoicer

com.sap.pct.srm.core.ro_manager

Manager

com.sap.pct.srm.core.ro_operationalpurchaser

Operational Purchaser

com.sap.pct.srm.core.ro_purchasingassistant

Purchasing Assistant

com.sap.pct.srm.core.ro_srmadministrator

SRM Administrator

com.sap.pct.srm.core.ro_strategicpurchaser

Strategic Purchaser

com.sap.pct.srm.core.ro_supplier

Supplier

com.sap.pct.srm.core.ro_survey_owner

Supplier Survey Cockpit

com.sap.pct.srm.core.ro_survey_reviewer

Supplier Survey Cockpit

com.sap.pct.srm.oneclnt.ro_invoicer

Invoicer

com.sap.pct.srm.oneclnt.ro_supplier

Supplier

com.sap.pct.srm.gp.ro_bidder

Bidder

com.sap.pct.srm.gp.ro_employeeselfservice

Employee Self-Service

com.sap.pct.srm.gp.ro_manager

Manager

com.sap.pct.srm.gp.ro_procurement

Procurement

com.sap.pct.srm.gp.ro_requisitioning

Requisitioning

com.sap.pct.srm.suite.ro_operationalpurchaser_erp

Operational Purchaser (ERP)

com.sap.pct.srm.suite.ro_operationalpurchaser

Operational Purchaser (ERP/SRM)

46/62

PUBLIC

10/28/2009

8
8.6

Authorization Information
Changes to the Authorization Check

Technical Name

Description

com.sap.pct.srm.suite.ro_strategicpurchaser_erp

Strategic Purchaser (ERP)

com.sap.pct.srm.suite.ro_strategicpurchaser

Strategic Purchaser (ERP/SRM)

8.6 Changes to the Authorization Check


The following authorization objects have been extended or newly created for SAP SRM 7.0:
Authorization Object

Technical Name

New or Extended (Description)

BBP_ADVS

BBP_ADVS

New: SRM: Advanced Search;


This object is used to define which
Business Objects are available in the
Advanced Search.

BBP_BID_EV

BBP_BID_EV

New: SRM Bid Evaluation

BBP_ROLE

BBP_ROLE

New: SRM: User Function /Role;


This object is used to identify
the role of the particular user
in the system, like Employee or
Operational Purchaser.

8.7 Business Add-In to Restrict Visibility of Product


Categories
By default, the input help for product categories, which users with the bidder role can open during
bid processing or RFx response processing, displays all available product category values. If you
want to restrict the visibility of product category values for users with the bidder role, you can do
this by implementing the method GET_CATEGORY in the Business Add-In (BAdI) BBP_F4_READ_ON
EXIT. Once the BAdI has been implemented, only those product category values that were defined
using GET_CATEGORY can be selected by the user.

10/28/2009

PUBLIC

47/62

This page is left blank for documents


that are printed on both sides.

Appendix

9 Appendix

9.1 Data Privacy Statement


In the SAP SRM system, personal user data, such as the name and address, is saved in the user master
record. To comply with legal requirements, functionality is available that only allows saving and using
of this user data if the affected user actively consents to this. This occurs via the display of a text on
the relevant interfaces: the user must select a checkbox at the end of the text to save it.
The checkbox is not initially set.
Caution

In some countries, depending on the valid legal regulations, explicit written consent from external
partners, such as suppliers, may be necessary.
You can activate the data privacy function for the following services:
n

Supplier Registration (SAP SRM) and Supplier Registration (SUS)

In these cases the supplier as an external user select the checkbox to allow the supplier data to be
saved.
n

Business Partner Maintenance (SAP SRM) and User Maintenance (SUS)

The internal processor select the checkbox and thus confirms that the external user, whose data is
being processed, is aware of and consents to the data being saved.
Customizing

To make the Customizing settings for the data privacy statement for SAP SRM, see Customizing
under SAP Implementation Guide SAP Supplier Relationship Management SRM Server Master Data
Business Partner Specify Data Privacy Settings for Suppliers .
To make the Customizing settings for SUS, see Customizing under SAP Implementation Guide SAP
Supplier Relationship Management Supplier Self-Services Settings for the User Interface Specify Data Privacy
Settings for Suppliers .
In these Customizing tables you can activate or deactivate the data privacy function and define
the technical names of the texts to be displayed.
Note

The texts that are displayed to the external user on self-registration and to the internal user when
maintaining business partners are predefined in the system as General Texts. You can use transaction
SE61 to copy them and modify them to suit your requirements.

10/28/2009

PUBLIC

49/62

9
9.2

Appendix
Virus Checking of Document Attachments

9.2 Virus Checking of Document Attachments


SAP SRM provides you with the opportunity to check documents that you attach to SAP SRM
documents with a virus scanner before they are stored in the database.
You must have a virus scanner installed and must have configured it correctly. For more information,
see Customizing under SAP Implementation Guide SAP Supplier Relationship Management SRM Server
SAP Web Application Server Application Server System Administration Virus Scanner Interface .
The virus scanning functions in SAP SRM are activated when you implement BAdI
BBP_ATT_CHECK. SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The
interface contains a structure that is used in SAP SRM for the storage of attachments. The field
PHIO_FNAME contains the file name and the tabular field PHIO_CONTENT contains the file part
of the attachment (where the actual file is stored). Viruses are dealt with in the implementation.
For example, the data part is deleted.
Function BBP_PD_MSG_ADD should also be implemented, as it communicates messages (such as
warnings, additional information, errors) to a central log which are then transferred to the user
interface.

9.3 Additional Related Guides


Area/ Topic

Guide/ Documentation

SAP SRM

SAP SRM Master Guide

Link
http://service.sap.com

SAP Business Suite


Applications SAP SRM Using SAP
SRM Server 7.0 Master Guide SAP
SRM
/instguides

SAP SRM NetWeaver

SAP NetWeaver Security Guide

http://help.sap.com
SAP
NetWeaver SAP NetWeaver Including
Enhancement Package 1 System
Administration Security Guide

9.4 Additional Information


Special Information for Live Auction Cockpit 7.0

(Only relates to the SAP SRM scenario Strategic Sourcing with LAC WPS 7.0.)
Which part of Live Auction Cockpit should be set up in which network segment?

The client portion of Live Auction Cockpit (Java applet) is deployed on the Internet. The applet
communicates with LAC on J2EE server. Therefore the external user has to allow the applet to
be downloaded.

50/62

PUBLIC

10/28/2009

9
9.4

Appendix
Additional Information

The server portion (Web AS) should be located on the LAN.


The SAP system (ERP) should be located on the LAN.
Where exactly is data stored?

System configuration data is stored in properties files on the Web AS. (System configuration data
is shipped with the system.)
Runtime transactional data is stored in the database of the SAP system. (Transactional data is stored
during runtime of the application.)
No temporary data is stored anywhere else.
Which type of data access is required at what point in time?

Read access of system configuration data is required during server start-ups.


Read and write accesses to transactional data are required during runtime.
What level of protection is recommended for which data?

Administration system permissions should be used to restrict access to Live Auction Cockpit
properties configuration in the Web AS Visual Administrator. Customers must ensure that only
system administrators should have access to Web AS Visual Administrator. Configuration data in Web
AS Visual Administrator is protected by a password.
Note

Password Encryption
Access to the SAP Web AS Visual Administrator needs a password:
This password is set during the installation of Web AS. For the LAC scenario, the username is
J2EE_ADMIN and the password is the one set by the first user.
Before deployment of the application only a dummy password is stored as a file in the deployment EAR
file. Once the application is deployed, the value is internally encrypted in the database in J2EE and
can only be accessed through J2EE Visual Administrator.
After the deployment, you must change the password via the Visual Administrator. (The Visual
Administrator tool can be configured for the use of SSL so the communication between Visual
Administrator and J2EE server can be secured.)
In the User Management Engine (UME) of the J2EE Engine, the properties values are stored in the
same way. It is not necessary to encrypt the content of the password to be stored as real values in DB
since communication between Visual Administration and J2EE server can be secure as well.
RFC users should be created for RFC/JCo connections to the SAP systems.
JCO-RFC-Password for Live Auction Cockpit to SAP SRM server:
The dummy password that is stored in the LAC deployable application is required for the RFC
connection between the Live Auction Cockpit application and the SAP SRM Server. Once Web
AS has been installed and the LAC application has been deployed, it is necessary to use the Web
AS Visual Administrator to configure this JCO-RFC-Password/ Username so that the Live Auction

10/28/2009

PUBLIC

51/62

9
9.4

Appendix
Additional Information

Cockpit application can run. (At present, this JCO RFC password is visually encrypted as *****
when it is entered, as in the SAP backend system transaction SU01. Only a user with administrator
authorization on the J2EE engine can reset the password, as in the SAP backend system transaction
SU01.
Does the application require an Internet browser as the user interface?

The Live Auction Cockpit client (Java applet) requires an Internet browser.
Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets.
Which RFC/JCo destinations are delivered/required?

The Live Auction Cockpit application establishes RFC connections via JCo.
(There is no need to maintain RFC destinations in transaction SM 59 for Live Auction Cockpit since
the JCo server is not used.)
What is the minimum authorization required by the communication user for RFC/JCo connections?

The communication user can be defined as a system user in a production system where there is no
need for JCo/ABAP debugger.
If the debugger needs to be used, the communication user must be defined as a dialog user.
Furthermore, the user must have both purchaser and supplier profiles for Live Auction Cockpit. (In a
productive system, a dialog (RFC) user always represents a limited security risk.)
SSO and SAP Logon Tickets

The Live Auction Cockpit application uses UME API to verify Single Sign-On tickets. No user data is
replicated since all user data is in SAP Bidding Engine in SAP SRM Server. (User data synchronization
is not required.)
By default, the Live Auction Cockpit application accepts SAP Logon Tickets.
n Details for Login Scenario for Live Auction: Purchaser and Bidder log into SAP SRM through the
standard login page.
n Inside the Bidding Engine auction user interface (Sourcing) the Live Auction Cockpit applet is launched.
n For Single Sign-On and user validation the Java user management client is used.
n If the applets URL is typed directly into the browser window, the user is validated through the
UME Logon Applet and redirected to a UME login page. After successful login, the user is directed
back to the applet.

52/62

PUBLIC

10/28/2009

9
9.4

Appendix
Additional Information
Figure 13:

Digitally-signed Java applet

As of SAP SRM 5.0/LAC WPS 5.0 the Java applet is digitally signed. The user must confirm that he
or she agrees to this usage.
Authorization and roles

No roles are delivered with Live Auction Cockpit. All roles are delivered with SAP SRM Server.
Customers do not need to create any additional roles.
Are authorization technologies other than roles used?

Yes, bidders must be added to an auctions invitation list to view and bid on that auction using Live
Auction Cockpit.
Bidders are added into this invitation list (in the SAP SRM Server system) when the auction is created.
Since this is a private auction (SAP Bidding Engine) where there is no self-registration or subscription.
User interface settings

Live Auction Cockpit can preserve and restore various user interface (UI) settings so that the end
users do not need to adjust the UI each time they log in. These settings include:
n
n
n
n
n

Divider location
Dropdown box selection
Tab selection
Table column order
Table column width

All UI settings are stored as a browser cookie. Therefore, the users web browser must be configured
to accept cookies to take advantage of this feature. If the users web browser is configured to block
10/28/2009

PUBLIC

53/62

9
9.4

Appendix
Additional Information

cookies, then UI settings are not preserved. However, all other Live Auction Cockpit features remain
functional.
Note

No personal information is stored in the browser cookie.


Special Information for SRM-MDM Catalog

For information about SRM MDM Catalog, see http://service.sap.com/installmdm.


Special Consideration for Offline Bidding

In SAP SRM, offline bidding using e-mail is possible. However, offline bidding does not provide a
secure application configuration by default. This approach can cause a security issue because it is not
protected by strong encryption or by certificates.
For this reason, SAP SRM does not support any scenario except in-house e-mail.
Note

Even with in-house e-mail, secure execution of offline bidding cannot be guaranteed.

54/62

PUBLIC

10/28/2009

Reference

A Reference

A.1 The Main SAP Documentation Types


The following is an overview of the most important documentation types that you need in the
various phases in the life cycle of SAP software.
Figure 14:

Documentation Types in the Software Life Cycle

Cross-Phase Documentation

SAPterm is SAPs terminology database. It contains SAP-specific vocabulary in over 30 languages, as


well as many glossary entries in English and German.
n Target group:
l Relevant for all target groups
Current
version:
n
l On SAP Help Portal at http://help.sap.com
access) or Terminology (as terminology CD)
l In the SAP system in transaction STERM

10/28/2009

PUBLIC

Additional Information

Glossary

(direct

55/62

Reference

A.1

The Main SAP Documentation Types

SAP Library is a collection of documentation for SAP software covering functions and processes.
n Target group:
l Consultants
l System administrators
l Project teams for implementations or upgrades
n Current version:
l On SAP Help Portal at http://help.sap.com (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for
raising security levels. A collective security guide is available for SAP NetWeaver. This document
contains general guidelines and suggestions. SAP applications have a security guide of their own.
n Target group:
l System administrators
l Technology consultants
l Solution consultants
n Current version:
l On SAP Service Marketplace at http://service.sap.com/securityguide
Implementation

The master guide is the starting point for implementing an SAP solution. It lists the required
installable units for each business or IT scenario. It provides scenario-specific descriptions of
preparation, execution, and follow-up of an implementation. It also provides references to other
documents, such as installation guides, the technical infrastructure guide and SAP Notes.
n Target group:
l Technology consultants
l Project teams for implementations
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The installation guide describes the technical implementation of an installable unit, taking
into account the combinations of operating systems and databases. It does not describe any
business-related configuration.
n Target group:
l Technology consultants
l Project teams for implementations
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
Configuration Documentation in SAP Solution Manager SAP Solution Manager is a life-cycle
platform. One of its main functions is the configuration of business and IT scenarios. It contains
Customizing activities, transactions, and so on, as well as documentation.

56/62

PUBLIC

10/28/2009

Reference

A.1

The Main SAP Documentation Types

n Target group:
l Technology consultants
l Solution consultants
l Project teams for implementations
Current
version:
n
l In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system.
The Customizing activities and their documentation are structured from a functional perspective.
(In order to configure a whole system landscape from a process-oriented perspective, SAP Solution
Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)
n Target group:
l Solution consultants
l Project teams for implementations or upgrades
n Current version:
l In the SAP menu of the SAP system under Tools

Customizing

IMG

Production Operation

The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and
documentation that are needed to carry out various tasks, such as monitoring, backup/restore,
master data maintenance, transports, and tests.
n Target group:
l System administrators
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The solution operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed. It refers users to the tools and documentation
that are needed to carry out the various operations-related tasks.
n Target group:
l System administrators
l Technology consultants
l Solution consultants
Current
version:
n
l On SAP Service Marketplace at http://service.sap.com/instguides
Upgrade

The upgrade master guide is the starting point for upgrading the business and IT scenarios of an
SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an
upgrade. It also refers to other documents, such as the upgrade guides and SAP Notes.

10/28/2009

PUBLIC

57/62

Reference

A.1

The Main SAP Documentation Types

n Target group:
l Technology consultants
l Project teams for upgrades
Current
version:
n
l On SAP Service Marketplace at http://service.sap.com/instguides
The upgrade guide describes the technical upgrade of an installable unit, taking into account
the combinations of operating systems and databases. It does not describe any business-related
configuration.
n Target group:
l Technology consultants
l Project teams for upgrades
Current
version:
n
l On SAP Service Marketplace at http://service.sap.com/instguides
Release notes are documents that contain short descriptions of new features in a particular release
or changes to existing features since the previous release. Release notes about ABAP developments
are the technical prerequisite for generating delta and upgrade Customizing in the Implementation
Guide (IMG).
n Target group:
l Consultants
l Project teams for upgrades
n Current version:
l On SAP Service Marketplace at http://service.sap.com/releasenotes
l In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

58/62

PUBLIC

10/28/2009

Typographic Conventions

Example

Description

<Example>

Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, Enter your <User Name>.

Example
Example

Arrows separating the parts of a navigation path, for example, menu options

Example

Emphasized words or expressions

Example

Words or characters that you enter in the system exactly as they appear in the
documentation

http://www.sap.com

Textual cross-references to an internet address

/example

Quicklinks added to the internet address of a homepage to enable quick access to


specific content on the Web

123456

Hyperlink to an SAP Note, for example, SAP Note 123456

Example

n Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works

Example

n Output on the screen following a user action, for example, messages


n Source code or syntax quoted directly from a program
n File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools

EXAMPLE

Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE

Keys on the keyboard

10/28/2009

PUBLIC

59/62

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

Copyright 2009 SAP AG. All rights reserved.


Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,
z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented
by Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products
and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world. All other product and service names mentioned are the
trademarks of their respective companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
(SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not
be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are
those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
This document was created using stylesheet 2007-12-10 (V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON 6.5.2
from Michael Kay (http://saxon.sf.net/), XSLT version 1.

60/62

PUBLIC

10/28/2009

Disclaimer

Some components of this product are based on Java. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components.
Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or
altered in any way.
Documentation in the SAP Service Marketplace

You can find this document at the following address: https://service.sap.com/instguides

10/28/2009

PUBLIC

61/62

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

Copyright 2009 SAP AG. All rights reserved.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.