Security Guide

SAP BusinessObjects Planning and Consolidation 7.5

version for the Microsoft platform
Target Audience
%% Technical Consultants
%% System Administrators

PUBLIC
%ETi^/ 8r1B'acc]Pf\1Wg

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries,
zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere,
Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered
trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented
by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world. All other product and service names mentioned are the trademarks of their respective companies. Data
contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
(SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not
be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are
those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
Disclaimer

Some components of this product are based on Java. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or
altered in any way.

2/42

PUBLIC

2010-05-25

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document.
You can find the latest version at the following location: http://service.sap.com/
securityguide.
The following table provides an overview of the most important document changes.
Version

Date

Description

1.0
2.0

2009-12-07
2010-06-15

First version
This is the update for SP03. For detailed information, refer to the appropriate SAP
central note.

2010-05-25

PUBLIC

3/42

Table of Contents

Chapter 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 4
4.1
4.2

Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enabling Activity Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Security Logging on Application Servers and Clients . . . . . . . . . . . . . . . . . . . . 15

Chapter 5
5.1
5.2
5.3
5.4
5.5

User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . .

User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating through CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating through Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up Teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 6
6.1
6.2

Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Member Access Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 7
7.1
7.2

Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4/42

PUBLIC

17
17
19
19
20
20

2010-05-25

Chapter 8

Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 9

Dispensable Functions that Affect Security . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 10

Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2010-05-25

PUBLIC

5/42

This page is left blank for documents

that are printed on both sides.

Introduction

1 Introduction

This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software
life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data
and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation on your system should not result in
loss of information or processing time. These demands on security apply likewise to Planning and
Consolidation. To assist you in securing your system, we provide this Security Guide.
About This Document

The Security Guide provides an overview of the security-relevant information that applies to the system
Overview of the Main Sections

The Security Guide comprises the following main sections:

x||# Before You Start
This section contains references to other Security Guides that build the foundation for this Security
Guide.
x||# Technical System Landscape
For information about the technical system landscape, see the Master Guide.
x||# Security Overview
This section explains the initial users in the system and default authorizations. The section also
provides an overview of the high-level steps needed to establish Planning and Consolidation
security.
x||# User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
x||L CMS and Active Directory domain considerations
x||L User setup
x||L Team setup

2010-05-25

PUBLIC

7/42

Introduction

RLU Authorizations
This section provides details on the authorization concept that applies to Planning and
Consolidation.
RLU Network and Communication Security
This section provides an overview of the network topology and communication protocols used
by the application.
RLU Data Storage Security
This section describes the security aspects involved with saving data used by the application.
RLU Dispensable Functions with Impact on Security
This section describes which functions are not absolutely necessary and how you can deactivate
them.
RLU Trace and Log Files
This section provides a link to where trace and log files are located.

8/42

PUBLIC

2010-05-25

Before You Start

2 Before You Start

Fundamental Security Guides

For a complete list of the available SAP Security Guides, see http://service.sap.com/
securityguide on the SAP Service Marketplace.
Important SAP Notes

The most important SAP Notes that apply to the security of the system are shown in the table below.
Important SAP Notes
SAP Note Number

Title

Comments

1336043

SAP Planning and Consolidation 7.5

SP00, version for the Microsoft
platform
SAP Planning and Consolidation 7.5
SP01, version for the Microsoft
platform
SAP Planning and Consolidation 7.5
SP02, version for the Microsoft
platform
SAP Planning and Consolidation 7.5
SP03, version for the Microsoft
platform

This is the Central Note for Planning and

Consolidation 7.5.

1401702

1426263

1475726

This is the Central Note for Planning and

Consolidation 7.5. Service Pack 01
This is the Central Note for Planning and
Consolidation 7.5. Service Pack 02
This is the Central Note for Planning and
Consolidation 7.5. Service Pack 03

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content

Quick Link on the SAP Service Marketplace or SDN

Security
Security Guides
Related SAP Notes
Released Platforms
Network Security
SAP Solution Manager

http://sdn.sap.com/irj/sdn/security

2010-05-25

https://service.sap.com/securityguide
https://service.sap.com/notes
https://service.sap.com/pam
https://service.sap.com/securityguide
https://service.sap.com/solutionmanager

PUBLIC

9/42

This page is left blank for documents

that are printed on both sides.

Technical System Landscape

3 Technical System Landscape

For information about the technical system landscape, see the Master Guide at http://
service.sap.com/instguidesEPM-BPC
7.5, version for the Microsoft platform .

2010-05-25

PUBLIC

11/42

This page is left blank for documents

that are printed on both sides.

Security Overview

4 Security Overview

Security Upon Initial System Installation

When you first install the system, the following items apply:
] The installation user can access Server Manager locally on the application server, and access the
Administration Console and Administration for the Web from any client machine. (After
additional users are defined, they can also access the administration features remotely.)
] The system administrator can perform all administrative tasks, but does not have any access to
members.
] There are no other users defined. See User Setup [page 20].
] There is one Admin team defined that can be used as a sample. See Team Setup [page 20].
] There is one sample task profile that has full Administration privileges (PrimaryAdmin), and
another sample task profile that has full Administration privileges and dimension access
(SysAdmin). See Team Setup [page 20].
] Administrators must specifically assign task profiles to users or teams of users before they can access
any tasks. Similarly, if they do not assign member access profiles to users or teams to define access
to members of a secured dimension, no one has access to that dimension. See Member Access Profile
Setup [external document].
] In the event of a system crash of the .NET server, you can log on using the SysAdmin user.
Steps to Define Security

Defining security involves the following steps:

] Name each user. See User Setup [page 20].
] Assign users to teams. See Team Setup [page 20].
] Assign task profiles to users or teams. See Task Profile Setup [external document].
] Assign member access profiles to users or teams. See Member Access Profile Setup [external document].
Emergency User

When normal access to the system is no longer available, SAP customers can log on to the .NET server
as SysAdmin (or other operating system users with administrative rights) to repair the Planning and
Consolidation installation.

2010-05-25

PUBLIC

13/42

Security Overview

4.1

Enabling Activity Auditing

Security Reports

Four security reports are available:

By User
By Team
By Task Profile
By Member Access Profile
For more information, see the Reporting on Security Information topic in the Planning and Consolidation Application
Help.
For more information about logging and tracing, see the Planning and Consolidation Operations Guide.

4.1 Enabling Activity Auditing

You can enable activity auditing to record all security-related changes, such as adding, changing, and
deleting users, teams, task profiles and member profiles.
If activity auditing is enabled for administration tasks, all administration tasks are audited (see Activity
Auditing in the Application Help for more information). Once the system records an activity, you can
run a report that shows activity based on specified criteria (see Reporting on Activity Auditing in the
Application Help).
These are the administrative tasks that are audited:
All security-related changes, such as adding, changing, and deleting users, teams, task profiles and
member profiles
Add, modify, delete, and copy operations for applications and dimensions. This also includes
dimension processing.
Web Administration changes to application set parameters, application parameters, document
types and subtypes, activity audit settings, and data audit settings
Business Process Flow management, adding, deleting, and modifying business process flows, and
saving business process flows to new names
NOTE

Data auditing is a different kind of auditing that allows you to capture an audit trail of the
changes made to the database. Once data auditing is enabled and a change to the data is recorded,
you can run data audit report based on specified criteria.
Planning and Consolidation does not support auditing for logon failure.
Procedure

To enable activity and data auditing:

14/42

PUBLIC

2010-05-25

Security Overview

4.2

Security Logging on Application Servers and Clients

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

On the SAP BusinessObjects Launch Page, select Administration.

Click Manage Activity Audit on the Web Admin Tasks.
Select Enabled Admin Activity, Enabled User Activity, and Enabled BPF Activity, then click Update.
Select Manage Data Audit on the Web Admin Tasks tab.
Select the desired application from the application set.
Select the Enable Data Activity checkbox and select a category.
Select all Tasks as Interface for Office, Data Manager Import, Logic Execution, and Journals.
Select the Enable schedule checkbox and set schedule time to every 5 minutes, and then click Update.
Click Publish report from the Web Admin Tasks. The report is published to the Reporting Server.
Select Audit Activity Report and Audit Data Report, then click OK.
Launch Planning and Consolidation System Reports from the Getting Started action pane.

4.2 Security Logging on Application Servers and Clients

By default, the application writes all errors to the database and error files. You can enable logging for
application servers and clients to log additional information. When logging is enabled, the application
creates log messages for the application servers and clients.
Application Server Logs

If logging is not enabled, only unexpected errors are written to the table tblLogs in the AppServer
database.
If you enable logging, as described below, additional logging information is written to the table
tblLogs.
To enable logging on an application server:
1. On the application server, open Component Services
2. Expand COM+ applications.
3. Select OSoftLogging and expand it.
4. Select Components and expand it.
5. Select OSoft.Services.Platform.Logging.LogHandler and open Properties.
6. Select the Activation tab.
7. Select Enable object construction and type DEBUG.
Client Logs

If logging is not enabled, all unexpected errors are written to the file <YYYY-MM-DD>.Exception.log in
the folder <Client cache directory>\PC_MS\Logging.

2010-05-25

PUBLIC

15/42

Security Overview

4.2

Security Logging on Application Servers and Clients

If you enable logging, as described below, additional logging information is written to the file <YYYYMM-DD>.Message.log, in the same folder.
To enable logging on a client:
1. Open the Windows Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\SAP\BPC\COMMON. (If SAP\BPC\COMMON does not exist, you
must create it.)
3. From the Edit menu, select New String Value and create a string named Logging.
4. Select the string, and from the Edit menu, select Modify.
5. In Value data, enter 1 to switch on logging. (To switch off logging, enter 0 or clear the field.)
The SQE (Shared Query Engine) does not depend on this switch. To write an SQE log, you must create
a file, for example, EvDataServer_Debug.txt in <FileServer>\..\WebFolders\<Application set>
\<Application>\PrivatePublications\<UserID>.

16/42

PUBLIC

2010-05-25

User Administration and Authentication

5.1

User Authentication Process

5 User Administration and

Authentication

There are two authentication methods available in Planning and Consolidation:

 >| SAP BusinessObjects User Management System (CMS)
 >| Microsoft Windows (Active Directory)
During the installation of the Planning and Consolidation server, you specify which authentication
method is appropriate for your needs.
NOTE

If you are currently authenticating through Active Directory, there is a migration tool available
that allows you to convert your users over to authenticate through CMS. For more information,
see the Operations Guide.
This section contains information about user administration and authentication in the following topics:
 >| User Authentication Process
 >| Authenticating through CMS
 >| Authenticating through Active Directory
 >| Setting up Users
 >| Setting up Teams

5.1 User Authentication Process

This section describes how users are authenticated from the Office and Web clients.
Authentication of Office Clients

1.

2.

From the Logon window, credentials are either taken from the Windows operating system, or they
must be entered using an alternate ID. In the latter case, the user enters a domain, user ID, and
password.
The client creates a stub to call the Planning and Consolidation .NET Web server. This is configured
to use the credentials supplied by the user during logon.

2010-05-25

PUBLIC

17/42

User Administration and Authentication

5.1

User Authentication Process

3.
4.
5.

6.
7.

The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
The system validates that the user connecting to the Web server is the same user identified by the
credentials.
The Web server calls the Planning and Consolidation authentication service to validate the user
credentials. If CMS has been configured, the user credentials are validated against the
BusinessObjects Enterprise SDK. If CMS authentication is not used, the user credentials are
validated directly against Active Directory. For more details, see Authenticating through CMS [page
19] and Authenticating through Active Directory [page 19].
If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
If the user is authenticated successfully, the Web server sends the results to the Planning and
Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401 error.

Authentication of Web Clients

1.

2.
3.
4.
5.
6.

7.
8.

The user navigates to the Planning and Consolidation home page. The Web server uses IIS Windows
(Integrated or Basic) authentication. If the user credentials are not valid, Windows prompts the
user to enter a user ID and password.
The client creates a stub to call the Planning and Consolidation application server.
The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
The system validates that the user connecting to the Web server is same user identified by the
credentials.
The system calls the Planning and Consolidation authentication service to validate credentials.
If CMS has been configured, the user credentials are validated against the BusinessObjects
Enterprise SDK. If CMS authentication is not used, the user credentials are validated directly against
Active Directory. For more details, see Authenticating through CMS [page 19] and Authenticating through
Active Directory [page 19].
If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
If the user is authenticated successfully, the application server sends the results to the Planning
and Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401
error.

18/42

PUBLIC

2010-05-25

User Administration and Authentication

5.2

Authenticating through CMS

5.2 Authenticating through CMS

The BusinessObjects Enterprise (BOE) SDK and Central Management Server (CMS) subsystem provides
additional authentication options that are not available in Active Directory, including single sign-on
(SSO). Using SSO means that you do not need to provide authentication information when moving
between Planning and Consolidation and other applications such as Xcelsius or Infoview. CMS
maintains a database of information about BOE (in the CMS database), and manages security, including
access rights and authentication.
The following diagram shows the BOE SDK and CMS architecture.

q{eN;k)BusinessObjects SDK & CMS

5.3 Authenticating through Active Directory

If authenticating users through Active Directory, and a user ID is added to the system with a domain
name (for example, PC\hsmith), the system assumes the user ID is maintained within Active Directory.
(If not on a domain, users must be valid Windows users on the .NET application server.) When the user
logs on, the system validates the password against Active Directory.
NOTE

In Server Manager, you can specify specific domains that are being used for Planning and
Consolidation users. In addition, filters can be applied to those domains to select specific users
from them. For more information, see the Operations Guide.

2010-05-25

PUBLIC

19/42

User Administration and Authentication

5.4

Setting Up Users

When you are adding new users from a domain to the system, you have the ability to select one
of the user-defined groups, and customize it further, if required.
When setting up users on the system, take the following considerations into account:
;2 We recommend that all users come from a single domain.
;2 We recommend that all users have access to the domain the server is on. If they do not have direct
access, the domain must be trusted between the server and user domain.
;2 The installation user must have rights to browse the users from all user domains.

5.4 Setting Up Users

You can add new users and assign them to teams, task profiles, and member access profiles.
If you are not using the default task or member access profiles and have not set them up yet, we
recommend that you define them before adding users. You might also want to create teams, so you
can assign the newly added users to the appropriate teams.
Alternatively, when you define the teams and profiles, you can assign users to them at that time.
Features

Adding Users
You can add users in the Admin Console. To do so, choose Security Users , then expand the domain
name. In the Manage Users action pane, select Add New User, then enter the required data to specify the
domain, e-mail address, teams, task profiles, and member access profiles.
Modifying Users
You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a
user. In the Manage Users Options task pane, choose Modify the selected user's definition. Follow the prompts in
the assistant.
NOTE

You can enable the server to be Sarbanes-Oxley compliant if you want all clients that access the
server to challenge users for a user name and password. See the Server Manager section of the
Application Help located at http://help.sap.com/epm.

5.5 Setting Up Teams

You can set up and maintain teams of users. When you assign security to a team, the security works
collectively on the team members. This allows you to set up task-based or memberbased security for
several users at the same time. Teams are not required to successfully process security.

20/42

PUBLIC

2010-05-25

User Administration and Authentication

5.5

Setting Up Teams

Features

Adding teams
To add a team, in the Admin Console by selecting Security Teams Add New Team . Enter data as
required.
Assigning team leaders
Assigning a team leader is useful when you want to give one person from the team special access rights,
for example, the rights to save templates to the team folder. A team leader that has ManageTemplate
privileges can save templates to their respective team folder. For more information, see the
ManageTemplate task in Task Profile Setup [external document].
In addition, a team leader is the only one who can save Data Manager conversion and transformation
files. See TeamLeadAdmin in Task Profile Setup [external document].
To assign a team leader, in the Admin Console select Security Teams , and select the desired user
from the team list.
Modifying teams
You can modify the definition of an existing team. When modifying a team, you can change everything
except the team name.
To modify a team definition, in the Admin Console select Security Teams . Select the team then
click Modify the selected team's definition. Follow the prompts in the assistant to revise the team definition,
revise selected team members, or assign different task and member access profiles.

2010-05-25

PUBLIC

21/42

This page is left blank for documents

that are printed on both sides.

Authorizations

6.1

Task Profile Setup

6 Authorizations

Authorization is defined by task profiles and member access profiles:

^" Task profiles define what type of activities or tasks a user or a team of users can perform.
^" Member access profiles define the specific applications to which users have access.

6.1 Task Profile Setup

A task profile defines the type of activities or tasks a user or a team of users can perform in Planning
and Consolidation. After creating a task profile, you assign it to one or more users. You can add tasks
to a profile as needed.
Features
Administrator Roles

A role is a predefined set of administration tasks. If you want to assign a user one or more administration
tasks, you must assign them one of the predefined administrator roles. Without one of these role
assignments, the user cannot perform any administrator tasks.
The three administrator roles are:
^" System Admin
^" Primary Admin
^" Secondary Admin
Default task rights

Task Profile
System Administrator (System Admin)

Primary Administrator (Primary Admin)

2010-05-25

Default Task Rights

^"
^"
^"
^"
^"
^"
^"
^"
^"
^"

Appset
DefineSecurity
OfflineAccess
Application
BusinessRules
DefineSecurity
Dimension
InsightAdmin
Lockings
ManageAudit

PUBLIC

23/42

Authorizations

6.1

Task Profile Setup

Secondary Administrator (Secondary

Admin)

|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x
|
x

ManageBook
ManageBPF
ManageComments
ManageContentLib
ManageDistributor
ManageEvDREDefaultStyle
ManageLiveReport
MISC
RemoveBPFInstances
ResetBPFInstances
UploadtoCompanyFolder
WebAdmin
Dimension
ManageBPF
ResetBPFInstances
RemoveBPFInstances

Administration Task Profile Descriptions

The following table describes the available tasks in the Administration interface:
Task
Application

Can be assigned to
Only the primary administrator (default)

Appset

System administrator, by default, but can be

assigned to primary administrator

Business Rules

Primary administrator, by default, but can be

assigned to secondary administrator
Only primary and secondary administrators
(default)
Primary administrator, by default, but can be
assigned to secondary administrator
Primary administrator, by default, but can also
be assigned to system and secondary
administrators.

Dimension

Lockings

Misc

Description
Can create, modify, and delete applications
in this application set, make changes to
dimensions and add dimensions, and
optimize applications.
Can create new application sets, modify
application sets, and set application set
parameters (in Web Admin Tasks).
Can define business rules.
Create, modify, process, and delete
dimensions and members.
Set up and edit concurrent locks, and define
and edit work status codes.
Can manage and validate custom menus and
view application set status.

AnalysisCollection Task Profile Descriptions

The following table describes the available tasks in the AnalysisCollection interface:
Task
eAnalyze

24/42

Can be assigned to
Anyone

Description
Can access, manage and edit ad hoc and audit reports,
and access and save to the report library.

PUBLIC

2010-05-25

Authorizations

6.1

Task Profile Setup

ManageEvDREDefaultStyle

ManageTemplate

SubmitData

Anyone (by default,

Primary Administrator)
Primary administrator, by
default, but can be
assigned to secondary
administrator
Anyone

Can open and save EvDRE style workbooks using the

eTools > Open/Save EvDRE Styles menu option.
Can manage the company report library, access and
save templates from the library, restrict workbook
options, and manage custom menus.
Can access the schedule library, build input schedules,
send data. Can use spread, weight, and trend options.
Can post documents with application context to the
Content Library.

Audit Task Profile Descriptions

The following table describes the available tasks in the Audit interface:
Task
ManageAudit

Can be assigned to
Only primary administrators (default)

Description
Can manage activity and data auditing.

BusinessProcessFlow Task Profile Descriptions

The following table describes the available tasks in the BusinessProcessFlow interface:
Task
BPFExecution

ManageBPF
RemoveBPFInstances

ReopenBPFStep

ResetBPFInstances

Can be assigned to
Anyone
Anyone
Primary and secondary
administrators (default)
Anyone

Anyone. Assigned to
primary and secondary
administrators, by default.

Description
Can run BPFs from Interface for Office or Interface for the
Web.
Can create and edit BPFs.
Can remove BPF instances from the system.
Can reopen a BPF step if it is closed or completed.
If the previous step is completed by a reviewer, a user cannot
reopen the step directly even though the user has this task.
They can send an e-mail request to the reviewer to reopen.
Can reset a BPF instance.
End users cannot reset a set of or all BPF instances.

Collaboration Task Profile Descriptions

The following table describes the available tasks in the Collaboration interface:
Task
ManageDistributor
PublishOffline

2010-05-25

Can be assigned to
Description
Only primary administrator (default) This user or team can use the Offline Distributor.
Anyone
This user or team collects changes to offline input
schedules and sends data to a database.

PUBLIC

25/42

Authorizations

6.1

Task Profile Setup

Comments Task Profile Descriptions

The following table describes the available tasks in the Comments interface:
Task
AddComment
ManageComments

Can be assigned to
Anyone
Primary administrator (by default), but can be
assigned to system and secondary
administrators.

Description
This user or team can add comments.
This user or team can remove or modify
comments.

Data Manager Task Profile Descriptions

The following table describes the available tasks in the DM interface:

Task
Execute

Can be assigned to
Anyone

PackageExecute

Anyone

GeneralAdmin

Primary, system and secondary

administrators. (No default
assignment)

26/42

PUBLIC

Description
This user or team can manage Data Manager
packages:
mt, Data upload
mt, Data download
mt, Validate and Process conversion files for
company
mt, Validate and Process transformation files for
company
mt, Data Preview
mt, Clear saved prompts
mt, View status based on user ID
mt, View schedule status based on user ID
mt, Run Specific package
mt, Run user package
mt, Maintain status based on user ID
mt, View status
This user or team can manage Data Manager
packages:
mt, Data Preview
mt, Clear saved prompts
mt, View status based on user ID
mt, View schedule status based on user ID
mt, Run Specific package
mt, Run user package
mt, Maintain status based on user ID
mt, View status
This user or team can perform tasks such as:
mt, New Transformation
mt, Test transformation with data
mt, New Conversion
mt, New Conversion Sheet
mt, Save Conversion

2010-05-25

Authorizations

6.1

Task Profile Setup

PrimaryAdmin

Primary, system and secondary

administrators. (No default
assignment)

TeamLeadAdmin

Primary, system and secondary

administrators. (No default
assignment)

4df Save Conversion As

Can perform the following default
PrimaryAdmin tasks:
4df Manage transformation files for company
and Validate & Process
4df Manage conversion files for company and
Validate & Process
4df Packages that against the fact table directly
are limited to admin
4df Manage team package access
4df Organize package list
4df Maintain status regardless of user ID
4df Run admin package
Can perform the following tasks:
4df Open and save transformation files from
noncompany files
4df Open and save conversion files for
noncompany files
4df Data Preview team folder
4df Validate and process conversion files for
team
4df Validate and process transformation files for
team
4df Data upload team folder
4df Data download team folder

FileAccess Task Profile Descriptions

The following table describes the available tasks in the FileAccess interface:
Task
UpdateToCompanyFolder

Can be assigned to
Description
Secondary administrator, by default, but can Can add files to the Company folder.
be assigned to primary administrators.

Insight Task Profile Descriptions

The following table describes the available tasks in the Insight interface:
Task
Analysis

2010-05-25

Can be assigned to
Anyone

Description
Has the following access rights to Insight:
4df View Dashboard
4df Define KPI
4df View KPI Variance
4df Analysis
4df Define KPI Alerts
4df Design KPI Charts
4df View KPI Radar

PUBLIC

27/42

Authorizations

6.1

Task Profile Setup

O View KPI
O Predictions
O Create KPI report (flash)
O Perform KPI on-demand predictions
O Comment viewing based on variance context results
O Action Manager viewing
O Add new and update actions based on owner
O Edit actions regardless of owner
O Insert KPI into Word/PowerPoint/Excel
Primary administrator (by default), Can administer Insight.
but can be assigned to secondary
administrators.

InsightAdmin

Journal Task Profile Descriptions

The following table describes the available tasks in the Journal interface:
Task

Can be assigned to
Primary, system and secondary
administrators. (No default assignment)

AdminJournal

CreateJournal
PostJournals
ReviewJournals
UnpostJournals

Anyone
Anyone
Anyone
Anyone

Description
Can manage journals as follows:
O Create and maintain journal templates
O Clear journal tables
O Create Journal
Can create, modify, or delete journal entries.
Can post, repost, or reopen journals.
Can review journals
Can unpost journal entries.

Publish Task Profile Descriptions

The following table describes the available tasks in the Publish interface:
Task
ManageBook

PublishBook
PublishFile

Can be assigned to
Description
Primary administrator (No default assignment) This user or team can create, edit and save
definition books.
Primary administrator (No default assignment) This user or team can publish a book of reports.
Primary administrator (No default assignment) Can post files to the Content Library or in
Interface for the Web.

Security Task Profile Descriptions

The following table describes the available tasks in the Security interface:
Task
DefineSecurity

28/42

Can be assigned to
Only system and
primary

Description
Can manage users, task, and member access profiles.

PUBLIC

2010-05-25

Authorizations

6.1

Task Profile Setup

OfflineAccess

administrators (by
default).
System administrator Can log on to Planning and Consolidation for Office when
(by default), but can be application set status is Not available.
assigned to anyone
This task security does not control access to Interface for the Web.
This means that users can log on to the interface without having this
task security.

ViewSystemReport Task Profile Descriptions

The following table describes the available tasks in the ViewSystemReport interface:
Task
BPFReport

Can be assigned to
Anyone
Anyone

CommentReport

Anyone

Security Report

Primary, system, and secondary

administrators. (No default assignment)
Anyone

AuditReport

Workstatus report

Description
This user or team can run audit reports.
This user or team can run Business Process
Flow reports.
This user or team can run a comment
report.
This user or team can run security reports.
This user or team can run a work status
report.

WorkStatus Task Profile Descriptions

The following table describes the available tasks in the WorkStatus interface:
Task
SetWorkStatus

Can be assigned to
Anyone

Description
This user or team can manage work status on a data region.

ZFP Task Profile Descriptions

The following table describes the available tasks in the Web interface:
Task
AccessContentLib

CreateWebPage
LiveReport
ManageContentLib

ManageLiveReport

2010-05-25

Can be assigned to
Anyone

Description
This user or team can access, filter, and sort, and add pages to the
Content Library in the Web interface.
Anyone
This user or team can create new web pages in the Web interface.
Anyone
This user or team can access live reports in the Web interface.
Primary administrator Can manage all items in the Content Library.
(by default), but can be
assigned to system and
secondary
administrators.
Primary administrator This user or team allows you to manage live reports using drag and
(by default), but can be drop in the Web interface.

PUBLIC

29/42

Authorizations

6.2

Member Access Profile Setup

WebAdmin

assigned to secondary
administrators.
Primary administrator Can do the following in Admin Tasks:
(by default), but can be
't, Set application parameters
assigned to secondary
't, Manage dimensions (make changes to existing dimensions
administrators.
based on dimension)

't, Manage document types and subtypes

't, Publish Non-Planning and Consolidation reports

't, Edit drill through tables

't, Publish Reports

't, Use Bulk Collaboration

Adding a Task Profile

To create a new task profile in the Admin Console, choose Security Task Profiles . Enter data as
required.
Tips for Assigning Task Profiles

't, The number of task profiles administrators can assign to a user is not limited. However, we
recommend that you do not assign multiple task profiles to users because it may cause confusion
in determining their ultimate access rights.
Task access security is cumulative, and tasks cannot be explicitly denied. As a result, assigning
multiple task profiles can create a situation where users have access to tasks that you may not want
them to have. For example, an administrator wants UserA to only retrieve data. If UserA belongs
to a team that possesses data-send task rights, UserA can also send data.

't, Administrators can assign multiple task profiles to a team. However, we recommend that you do
not assign multiple task profiles to a team because it may cause confusion in determining the
ultimate access rights of that team.

6.2 Member Access Profile Setup

You must define a member access profile for all secured dimensions of an application. If no profile is
defined for a secured dimension, the users assigned to the profile do not have access rights to that
application. If you partially define access, for example, for one of two secured dimensions, users are still
denied access to the application.
After creating a Member Access profile, you assign it to users as needed.
Features

General Rules for Member Access Security

Member access security is based on the following rules:

30/42

PUBLIC

2010-05-25

Authorizations

6.2

Member Access Profile Setup

J;> By default, no one other than the system administrator has access to members. Member access
must be explicitly granted.
J;> A user can be assigned member access individually and through team membership.
J;> Member access privileges flow down the hierarchy, from parent to child.
J;> When in conflict, the least restrictive member access profile is applied.
J;> In case of a conflict between individual and team member access, the least restrictive setting is
applied.
J;> Denial of member access can be set only at the user level.
Defining Access to Members with Children
When defining access to a secured dimension that has one or more defined hierarchies, security is
applied to the member and all of its children. For example, if you grant access to a member that has 10
children, users with access to the parent member also have access to the 10 children.
You can restrict a child member of a parent with Read or Read and Write access by creating a separate
member access profile and assigning the child Denied access. Alternatively, you can use the same
member access profile as the parent, but create a new line item for the child.
Creating Member Access Profiles
You can add member access profiles from the Admin Console by choosing Security Member Access
Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile
assistant. Be sure to choose Apply to process the new member access profiles
Modifying Member Access Profiles
You can modify an existing member access profile by selecting Modify the selected profile definition in the
Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.
Resolving Member Access Profile Conflicts
Since you can define member access by individual users and by teams, there may be situations in which
conflicts occur. The following topics describe some potential member access conflict scenarios and the
rules the system applies to resolve those conflicts. These scenarios are based on the assumption that
the Entity dimension is a secured dimension and has the following hierarchical structure:
Hierarchy
H1

Members
WorldWide1

Sales

SalesAsia

SalesEurope

H2

2010-05-25

WorldWide2

Asia

Korea
Japan

PUBLIC

SalesKorea
SalesJapan
ESalesAsia
SalesItaly
SalesFrance
ESalesEurope
SalesKorea
SalesJapan

31/42

Authorizations

6.2

Member Access Profile Setup

Europe

eAsia
Italy
France
eEurope

ESalesAsia
SalesItaly
SalesFrance
ESalesEurope

Conflict Between Profiles

When there is a conflict between member access profiles, the least restrictive profile is always applied.
This section describes three different scenarios where there are conflicts between profiles.
EXAMPLE

Scenario 1:
vCB User1 belongs to Team1 and Team2.
vCB There are two member access profiles: ProfileA and ProfileB.
vCB ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB

Access
Read & Write
Read Only

Dimension
Entity
Entity

Member
Sales
SalesAsia

In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As a
result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and
SalesItaly.
EXAMPLE

Scenario 2:
vCB User1 belongs to Team1 and Team2
vCB There are two member access profiles: ProfileA and ProfileB.
vCB ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB

Access
Read Only
Read & Write

Dimension
Entity
Entity

Member
Sales
SalesAsia

In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for the
child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to send
data to SalesKorea, but not to SalesItaly.

32/42

PUBLIC

2010-05-25

Authorizations

6.2

Member Access Profile Setup

EXAMPLE

Scenario 3:
?|m User1 does not belong to any team.
?|m There are two member access profiles: ProfileA and ProfileB.
?|m Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB

Access
Denied
Read Only

Dimension
Entity
Entity

Member
SalesAsia
Sales

In this case, the least restrictive profile between the two, ProfileB (Read Only), is applied. As a
result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea
and SalesItaly.
Conflict Between Parent and Child Members
Authority always flows down the hierarchy from parent to child. Child members always have the access
level of their parents, unless otherwise specified.
EXAMPLE

Scenario 1:
?|m User1 belongs to Team1 and ProfileA is assigned to Team1.
?|m Two levels of member access profiles are defined for ProfileA.
The member access profiles for the ProfileA are described in the following table:
Member access profile
ProfileA
ProfileA

Access
Read & Write
Read Only

Dimension
Entity
Entity

Member
Sales
SalesAsia

In this case, the Read & Write access of the Sales member flows down to its children. This flow is
interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsias
access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not
to SalesKorea.
EXAMPLE

Scenario 2:
?|m User1 belongs to Team1 and ProfileA is assigned to Team1.
?|m ProfileA has two levels of member access profiles.
The member access profiles for the ProfileA are described in the following table:

2010-05-25

PUBLIC

33/42

Authorizations

6.2

Member Access Profile Setup

Member access profile

ProfileA
ProfileA

Access
Read Only
Read & Write

Dimension
Entity
Entity

Member
Sales
SalesAsia

In this case, the Read Only access of the Sales member flows down to its children. This flow is
interrupted by assigning Read & Write access to SalesAsia (a descendant of Sales), and SalesAsias
access flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not
to SalesItaly.
Conflict When the Same Member Belongs to Different Hierarchies
When a member belongs to different hierarchies, and there is a conflict in member access, the most
restrictive access is applied.
EXAMPLE

Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described in
the following table:
Member access profile
ProfileA
ProfileB

Access
Read Only
Read & Write

Dimension
Entity
Entity

Member
WorldWide1
WorldWide2

In this case, ProfileB determines User1s access. As a result, User1 is able to send data to SalesKorea,
even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).

34/42

PUBLIC

2010-05-25

Network and Communication Security

7.1

Communication Channel Security

7 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized access.
A well-defined network topology can eliminate many security threats based on software flaws (at both
the operating system and application level) or network attacks such as eavesdropping.
If users cannot log on to your application or database servers at the operating system or database layer,
then there is no way for intruders to compromise the machines and gain access to the back-end systems
database or files. Additionally, if users are not able to connect to the server LAN (local area network),
they cannot exploit well-known bugs and security holes in network services on the server machines.
Details that specifically apply to Planning and Consolidation are described in the following topics:
)MJ Communication Channel Security
This topic describes the communication paths and protocols used by the application.
)MJ Network Security
This topic describes the recommended network topology for the application. It shows the
appropriate network segments for the various client and server components and where to use
firewalls for access protection. It also includes a list of the ports needed to operate the application.

7.1 Communication Channel Security

The table below shows the communication paths used by the application, the protocol used for the
connection, and the type of data transferred.
Communication Paths
Communication Path

Protocol Used

Client and .NET web/app HTTP/HTTPS

server

.NET web/app server and TCP/IP

Windows Active Directory

2010-05-25

Type of Data Transferred

Data Requiring Special

Protection

Client requests and server Passwords

responses
Proprietary business
financial and
performance metrics
Windows native behavior Proprietary business
financial and
performance metrics

PUBLIC

35/42

Network and Communication Security

7.2

Network Security
Data Requiring Special
Protection

Communication Path

Protocol Used

Type of Data Transferred

Client and Windows

Active Directory
(Optional)

TCP/IP

Windows native behavior Proprietary business

financial and
performance metrics

NOTE

Communication with the Windows Active Directory is done by the native Windows Operation
System.
We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic
authentication to access the .NET web/application server.

7.2 Network Security

You can implement the following components of the application in different network segments:
>: Client
>: .NET Web/application server
We recommend any of the following three environments, based on your on your technical
requirements.
>: All components in one network zone (LAN)
>: Client in Internet zone, while all server side components (.NET application server) are in one zone
(LAN)
>: Client in Internet zone, .NET application server in DMZ

36/42

PUBLIC

2010-05-25

Data Storage Security

8 Data Storage Security

In Planning and Consolidation, user data is stored in CMS or Active Directory, and authorization data
is stored on the SQL database.
Business data is loaded by users and administrators and stored in the SAP database.
Some configuration data is loaded upon system installation; the configuration file is located on the .NET
server tier in \PC\Websrvr\web\ServerConfiguration.config. The system is preconfigured to provide a substantial
level of data protection, but you should also make sure that no one has access to the service accounts
defined during the installation.
The system uses a client-side file system to store metadata and template data temporarily because read,
write, delete, change, and query access for existing data may be required. This data is stored in the local
file system of the client within the \MyDocuments\OutlookSoft directory. We recommend that only users
and administrators have access to this directory.
Since Interface for the Web uses a browser as its interface, it uses cookies to store front-end metadata
and configuration information during individual user sessions. This data requires no special protection,
and no special measures to protect the cookies are necessary.

2010-05-25

PUBLIC

37/42

This page is left blank for documents

that are printed on both sides.

Dispensable Functions that Affect Security

9 Dispensable Functions that Affect

Security

Planning and Consolidation uses the following system resources:

. Client tier File system, system components, operating system
. .NET server tier System components, operating system
There are no administration tools or installation tools that can be deleted after installation.
Server Installation

For the server installation, all functional modules are necessary and are used at runtime.
An installation contains a default application set named ApShell. This is the only component you can
remove after you complete your own application set development.
Client Installation

A Planning and Consolidation installation includes a Microsoft Office client and an Administration
client for different kinds of users. Users can install one or both.

2010-05-25

PUBLIC

39/42

This page is left blank for documents

that are printed on both sides.

10

Trace and Log Files

10 Trace and Log Files

The system provides log files on both the client side and the .NET server side. The client side log is
located in My Documents\BPC\Logging. The server log is located in (PC install dir)\Logging. Both logs are named
logmm-dd-yyyy.txt, where mm-dd-yyyy is the date to which that log applies. The system creates a new
log each day.
For more information about log and trace files, see the Operations Guide.

2010-05-25

PUBLIC

41/42

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.