Security Guide

SAP Business Planning and Consolidation 7.0 SP01

version for SAP NetWeaver

Target Audience
n Technical Consultants
n System Administrators

PUBLIC
Document version: 1.1 ‒ 12/12/2008
 SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

© Copyright 2008 SAP AG. All rights reserved. MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
No part of this publication may be reproduced or
NetWeaver, and other SAP products and services mentioned
transmitted in any form or for any purpose without the
herein as well as their respective logos are trademarks or
express permission of SAP AG. The information contained
registered trademarks of SAP AG in Germany and in several
herein may be changed without prior notice.
other countries all over the world. All other product
Some software products marketed by SAP AG and its
and service names mentioned are the trademarks of their
distributors contain proprietary software components of
respective companies. Data contained in this document
other software vendors.
serves informational purposes only. National product
Microsoft, Windows, Outlook, and PowerPoint are specifications may vary.
registered trademarks of Microsoft Corporation. These materials are subject to change without notice.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, These materials are provided by SAP AG and its affiliated
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, companies (“SAP Group”) for informational purposes
pSeries, xSeries, zSeries, System i, System i5, System p, only, without representation or warranty of any kind, and
System p5, System x, System z, System z9, z/OS, AFP, SAP Group shall not be liable for errors or omissions with
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, respect to the materials. The only warranties for SAP Group
i5/OS, POWER, POWER5, POWER5+, OpenPower and products and services are those that are set forth in the
PowerPC are trademarks or registered trademarks of IBM express warranty statements accompanying such products
Corporation. and services, if any. Nothing herein should be construed as
Adobe, the Adobe logo, Acrobat, PostScript, and Reader constituting an additional warranty.
are either trademarks or registered trademarks of Adobe
This document was created using stylesheet 2007-12-10
Systems Incorporated in the United States and/or other
(V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON
countries.
6.5.2 from Michael Kay (http://saxon.sf.net/), XSLT version
Oracle is a registered trademark of Oracle Corporation.
1.
UNIX, X/Open, OSF/1, and Motif are registered trademarks
of the Open Group.
Disclaimer
Citrix, ICA, Program Neighborhood, MetaFrame,
Some components of this product are based on Java™. Any
WinFrame, VideoFrame, and MultiWin are trademarks or
code change in these components may cause unpredictable
registered trademarks of Citrix Systems, Inc.
and severe malfunctions and is therefore expressively
HTML, XML, XHTML and W3C are trademarks or registered
prohibited, as is any decompilation of these components.
trademarks of W3C®, World Wide Web Consortium,
Any Java™ Source Code delivered with this product is
Massachusetts Institute of Technology.
only to be used by SAP’s Support Services and may not be
Java is a registered trademark of Sun Microsystems, Inc.
modified or altered in any way.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.

2/40 PUBLIC 12/12/2008

Typographic Conventions

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
Example Arrows separating the parts of a navigation path, for example, menu options
Example
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the
documentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example n Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works
Example n Output on the screen following a user action, for example, messages
n Source code or syntax quoted directly from a program
n File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard

12/12/2008 PUBLIC 3/40

Document History

Caution
Before you start the implementation, make sure you have the latest version of this document. You
can find the latest version at the following location: http://service.sap.com/securityguide.

The following table provides an overview of the most important document changes.
Version Date Description

1.0 7/31/2008 No changes.

1.1 12/12/2008 Added new sections for security guide validation.

4/40 PUBLIC 12/12/2008

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . 11

Chapter 4 Security Overview . . . . . . . . . . . . . . . . . . . . . 13

Chapter 5 User Administration and Authentication . . . . . . . . . . . . 15

5.1 Active Directory Domain Considerations . . . . . . . . . . . . . . 15
5.2 User Setup . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.3 Team Setup . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . 19
6.1 Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . 19
6.2 Member Access Profile Setup . . . . . . . . . . . . . . . . . . 25

Chapter 7 Network and Communication Security . . . . . . . . . . . . . 31

7.1 Communication Channel Security . . . . . . . . . . . . . . . . 31
7.2 Network Security . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 8 Data Storage Security . . . . . . . . . . . . . . . . . . . . 35

Chapter 9 Dispensable Functions that Affect Security . . . . . . . . . . . 37

Chapter 10 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . 39

12/12/2008 PUBLIC 5/40

6/40 PUBLIC 12/12/2008
1 Introduction

1 Introduction

This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the
software life cycle, whereby the Security Guides provide information that is relevant for all life cycle
phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the
demands on security are also on the rise. When using a distributed system, you need to be sure that
your data and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation on your system should not result
in loss of information or processing time. These demands on security apply likewise to Business
Planning and Consolidation. To assist you in securing your system, we provide this Security Guide.

About This Document

The Security Guide provides an overview of the security-relevant information that applies to BPC.

Overview of the Main Sections

The Security Guide comprises the following main sections:
n Before You Start
This section contains references to other Security Guides that build the foundation for this
Security Guide.
n Technical System Landscape
This section contains a link to more information about the system landscape.
n Security Overview
This section explains the initial users in the system and default authorizations. The section also
provides an overview of the high-level steps needed to establish BPC security.
n User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
l Active Directory domain considerations
l User setup
l Team setup
n Authorizations
This section provides details on the authorization concept that applies to BPC.
n Network and Communication Security

12/12/2008 PUBLIC 7/40

1 Introduction

This section provides an overview of the network topology and communication protocols used by
the application.
n Data Storage Security
This section describes the security aspects involved with saving data used by the application.
n Dispensable Functions with Impact on Security
This section describes which functions are not absolutely necessary and how you can deactivate
them.
n Trace and Log Files
This section provides a link to where trace and log files are located.

8/40 PUBLIC 12/12/2008

2 Before You Start

2 Before You Start

Fundamental Security Guides

For a complete list of the available SAP Security Guides, see http://service.sap.com/securityguide
on the SAP Service Marketplace.

Important SAP Notes

The most important SAP Notes that apply to the security of the system are shown in the table below.

Important SAP Notes

SAP Note Number Title Comment

1178001 Business Planning and
Consolidation 7.0, version for
SAP NetWeaver
1276507 Business Planning and
Consolidation 7.0, version for
SAP NetWeaver Support Package
01.
This is the Central Note for Business
Planning and Consolidation 7.0
SP00.
This is the Central Note for Business
Planning and Consolidation 7.0
SP01.

Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.

Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace or

SDN
Security http://sdn.sap.com/irj/sdn/security

Security Guides https://service.sap.com/securityguide

Related SAP Notes https://service.sap.com/notes

Released Platforms https://service.sap.com/pam

Network Security https://service.sap.com/securityguide

SAP Solution Manager https://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

12/12/2008 PUBLIC 9/40

This page is intentionally left blank.
3 Technical System Landscape

3 Technical System Landscape

For information about the technical system landscape, see the

http://service.sap.com/instguidescpm-bpc 7.0, version for the SAP NetWeaver
Platform SAP BPC 7.0 Master Guide .

12/12/2008 PUBLIC 11/40

This page is intentionally left blank.
4 Security Overview

4 Security Overview

Security Upon Initial System Installation

When you first install the system, the following items apply:
n The system administrator can perform all administrative tasks, but does not have any access to
members.
n There are no other users defined. See User Setup [page 15].
n There is one Admin team defined that can be used as a sample. See Team Setup [page 16].
n There is one sample task profile that has full Administration privileges (PrimaryAdmin), and
another sample task profile that has full Administration privileges and dimension access
(SysAdmin). See Team Setup [page 16].
n Administrators must specifically assign task profiles to users or teams of users before they can
access any tasks. Similarly, if they do not assign member access profiles to users or teams to define
access to members of a secured dimension, no one has access to that dimension. See Member
Access Profile Setup [page 25].
Steps to Define Security
Defining security involves the following steps:
n Name each user. See User Setup [page 15].
n Assign users to teams. See Team Setup [page 16].
n Assign task profiles to users or teams. See Task Profile Setup [page 19].
n Assign member access profiles to users or teams. See Member Access Profile Setup [page 25].

12/12/2008 PUBLIC 13/40

This page is intentionally left blank.
5 User Administration and Authentication

5 User Administration and Authentication

This section contains information about user administration and authentication in the following
topics:
n Active Directory Domain Considerations
n User Setup
n Team Setup

5.1 Active Directory Domain Considerations

When a user ID is added to the system with a domain name (for example, BPC\hsmith), the system
assumes the user ID is being maintained within Active Directory Services. (If not on a domain, users
must be valid Windows users on the .NET application server.) When the user logs on, the system
validates the password against Active Directory Services.

Note
In Server Manager, you can specify specific domains that are being used for users. In
addition, filters can be applied to those domains to select specific users from them. See the
http://service.sap.com/instguidescpm-bpc 7.0, version for SAP NetWeaver SAP BPC 7.0 Server
Manager Guide .
When you are adding new users from a domain to the system, you have the ability to select one of
the user-defined groups, and customize it further, if required.

When setting up users on the system, take the following considerations into account:
n We recommend that all users come from a single domain.
n We recommend that all users have access to the domain the server is on. If they do not have direct
access, the domain must be trusted between the server and user domain.
n The installation user must have rights to browse the users from all user domains.

5.2 User Setup

You can add new users and assign them to teams, task profiles and member access profiles.

12/12/2008 PUBLIC 15/40

5 User Administration and Authentication
5.3 Team Setup

If you are not using the default task or member access profiles and have not set them up yet, you
might want to define them before adding users. You might also want to create teams, so you can
assign the newly added users to the appropriate teams.
Alternatively, when you define the teams and profiles, you can assign users to them at that time.

Features
Adding Users
You can add users in the Admin Console. To do so, choose Security Users , then expand the
domain name. In the Manage Users action pane, click Add New User, then enter the required data to
specify the domain, e-mail address, teams, task profiles, and member access profiles.
Modifying Users
You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a
user. In the Manage Users Options task pane, choose Modify the selected user’s definition. Follow the prompts
in the assistant.

Note
You can enable the server to be Sarbanes-Oxley compliant if you want all clients
that access the server to challenge users for a user name and password. See the
http://service.sap.com/instguidescpm-bpc 7.0, version for SAP NetWeaver SAP BPC 7.0 Server
Manager Guide .

5.3 Team Setup

You can set up and maintain teams of users. When you assign security to teams, the security works
collectively on the team members. This allows you to easily maintain security for many users at
the same time.

Features
Adding teams
You can define teams to assign security rules to a set of users, rather than assigning security rules to
each individual user. Teams are not required to successfully process security.
To add a team, in the Admin Console click Security Teams Add New Team , then follow the
prompts in the assistant.

Note
You can designate one team leader for each team. The team leader can save templates to the team
folder on the server. For more information about the ManageTemplate task, see Task Profile Setup
[page 19].

16/40 PUBLIC 12/12/2008

5 User Administration and Authentication
5.3 Team Setup

Modifying teams
You can modify the definition of an existing team. When modifying a team, you can change
everything except the team name. To modify a team definition, in the Admin Console click
Security Teams . Select the team then click Modify the selected team’s definition. Follow the prompts
in the assistant to revise the team definition, revise selected team members, or assign different task
and member access profiles.

12/12/2008 PUBLIC 17/40

This page is intentionally left blank.
6 Authorizations

6 Authorizations

Authorization is defined by task profiles and member access profiles:

n Task profiles determine what type of activities or tasks a user or a team of users can perform.
n Member access profiles determine the specific applications to which users have access.

6.1 Task Profile Setup

A task profile determines what type of activities or tasks a user or a team of users can perform in
Business Planning and Consolidation. After creating a task profile, you assign it to one or more
users. You can add tasks to a profile as needed.

Features
Administrator Roles
A role is a predefined set of administration tasks. If you want to assign a user one or more
administration tasks, you must assign them one of the predefined administrator roles. Without one of
these role assignments, the user cannot perform any administrator tasks.
The three administrator roles are:
n System Admin
n Primary Admin
n Secondary Admin
Default task rights
A System Administrator (System Admin), by default, has the following task rights:
n Appset
n DefineSecurity
A Primary Administrator (Primary Admin), by default, has the following task rights:
n Application
n BusinessRules
n DefineSecurity
n Dimensions
n Lockings
n ManageAudit
n ManageComments

12/12/2008 PUBLIC 19/40

6 Authorizations
6.1 Task Profile Setup

n ManageContentLibrary
n ManageDistributor
n ManageLiveReport
n ManageTemplates
n Misc
n UpdateToCompanyFolder
n WebAdmin
A Secondary Administrator (Secondary Admin), by default, has the following task rights:
n Dimensions
Administration Task Profile Descriptions
The following table describes the available tasks in the Administration interface:
Task Can be assigned to Description
Application Only the primary administrator Can create, modify, and delete
(default) applications in this application
set, make changes to dimensions
and add dimensions, and optimize
applications.
Appset System administrator, by default, Can create new application sets,
but can be assigned to primary modify application sets, and set
administrator application set parameters (in Web
Admin Tasks).
Business Rules Primary administrator, by default, Define business rules.
but can be assigned to secondary
administrator
Dimension Only primary and secondary Create, modify, process, and delete
administrators (default) dimensions and members.
Lockings Primary administrator, by default, Define and edit work status codes.
but can be assigned to secondary
administrator
Misc Primary administrator, by default, View application set status.
but can also be assigned to system
and secondary administrators.

AnalysisCollection Task Profile Descriptions

The following table describes the available tasks in the AnalysisCollection interface:
Task Can be assigned to Description
eAnalyze Anyone Access, manage and edit ad hoc
and audit reports.

20/40 PUBLIC 12/12/2008

6 Authorizations
6.1 Task Profile Setup

ManageTemplate Anyone A user with this task can access and

save templates to the company or
team folders and restrict workbook
options.

Note
The team leader can save objects
to the team folder without this
task. See Team Setup [page 16].
SubmitData Anyone Can access the build input
schedules and send data. Can
use spread, weight, and trend
options. Can post documents with
application context to the Content
Library.

Audit Task Profile Descriptions

The following table describes the available tasks in the Audit interface:
Task Can be assigned to Description
ManageAudit Anyone Can manage activity and data
auditing.

Collaboration Task Profile Descriptions

The following table describes the available tasks in the Collaboration interface:
Task Can be assigned to Description
ManageDistributor Anyone This user or team can use the
Offline Distributor.
PublishOffline Anyone This user or team collects changes
to offline input schedules and
sends data to a database.

Comments Task Profile Descriptions

The following table describes the available tasks in the Comments interface:
Task Can be assigned to Description
AddComment Anyone This user or team can add
comments.
ManageComments Anyone This user or team can remove
comments.

12/12/2008 PUBLIC 21/40

6 Authorizations
6.1 Task Profile Setup

Data Manager Task Profile Descriptions

The following table describes the available tasks in the DM interface:
Task Can be assigned to Description
Execute Anyone This user or team can manage Data
Manager packages:
n Data upload
n Data download
n Data Preview
n Clear saved prompts
n View status based on user ID
n View schedule status based on
user ID
n Run Specific package
n Run user package
n Validate & Process conversion
files for company
n Validate & Process
transformation files for
company
n Maintain status based on user
ID
n View status

GeneralAdmin Anyone This user or team can perform

tasks such as:
n New Transformation
n Test transformation with data
n New Conversion
n New Conversion Sheet
n Transformation
n Save
n Save Transformation As
n Save Conversion
n Save Conversion As

PrimaryAdmin Anyone Can perform default

PrimaryAdmin tasks such as:
n Manage transformation files for
company and Validate & Process
n Manage conversion files for
company and Validate &
Process
n Packages that against the fact
table directly are limited to
admin
n Manage team package access
n Organize package list

22/40 PUBLIC 12/12/2008

6 Authorizations
6.1 Task Profile Setup

n Maintain status regardless of

user ID
n Run admin package

TeamLeadAdmin Anyone Can:

n Manage Transformation for
noncompany files and Validate
& Process
n Manage Conversion for
noncompany files and Validate
& Process
n Data Preview team folder
n Validate & Process conversion
files for team
n Validate & Process
transformation files for team
n Data upload team folder
n Data download team folder

FileAccess Task Profile Descriptions

The following table describes the available tasks in the FileAccess interface:
Task Can be assigned to Description
UpdateToCompanyFolder Anyone Can add files to the Company
folder.

Journal Task Profile Descriptions

The following table describes the available tasks in the Journal interface:
Task Can be assigned to Description
AdminJournal Anyone Can manage journals:
n Create and maintain journal
templates
n Clear journal tables
n Create Journal
CreateJournal Anyone Can create or modify journal
entries.
PostJournals Anyone Can post journals.
ReviewJournals Anyone Can review journals
UnpostJournals Anyone Can unpost journal entries.

Security Task Profile Descriptions

The following table describes the available tasks in the Security interface:

12/12/2008 PUBLIC 23/40

6 Authorizations
6.1 Task Profile Setup

Task Can be assigned to Description

DefineSecurity Only system and primary Can manage users, task and
administrators (by default). member access profiles.

Caution
We recommend you restrict access
of this task to a few privileged
users.

ViewSystemReport Task Profile Descriptions

The following table describes the available tasks in the ViewSystemReport interface:
Task Can be assigned to Description
AuditReport Anyone This user or team can create audit
reports.
SecurityReport Anyone This user or team can create
security reports.
CommentReport Anyone This user or team can run a
comment report.
JournalReport Anyone This user or team can run a journal
report.
Workstatus report Anyone This user or team can run a work
status report.

WorkStatus Task Profile Descriptions

The following table describes the available tasks in the WorkStatus interface:
Task Can be assigned to Description
SetWorkStatus Anyone This user or team creates work
status on a data region.

ZFP Task Profile Descriptions

The following table describes the available tasks in the ZFP interface:
Task Can be assigned to Description
AccessContentLib Anyone This user or team can access,
filter, and sort, and add pages to
the Content Library in Business
Planning and Consolidation Web.
CreateWebPage Anyone This user or team can create new
web pages in Business Planning and
Consolidation Web.

24/40 PUBLIC 12/12/2008

6 Authorizations
6.2 Member Access Profile Setup

LiveReport Anyone This user or team can access live

reports in Business Planning and
Consolidation Web.
ManageContentLib Anyone Can manage all items in the
Content Library.
ManageLiveReport Anyone This user or team allows you to
manage live reports using drag
& drop in Business Planning and
Consolidation Web.
WebAdmin Anyone Can do the following in Web
Admin Tasks:
n Set application parameters
n Manage dimensions (make
changes to existing dimensions
based on dimension)
n Manage document types and
subtypes
n Publish Non-Business Planning
and Consolidation reports

Adding a Task Profile

To create a new task profile in the Admin Console, choose Security Task Profiles . Enter data
as required.
Tips for Assigning Task Profiles
n The number of task profiles administrators can assign to a user is not limited. However, we
recommend that you do not assign multiple task profiles to users because it may cause confusion
in determining their ultimate access rights.
Task access security is cumulative, and tasks cannot be explicitly denied. As a result, assigning
multiple task profiles can create a situation where users have access to tasks that you may not want
them to have. For example, an administrator wants UserA to only retrieve data. If UserA belongs
to a team that possesses data-send task rights, UserA can also send data.
n Administrators can assign multiple task profiles to a team. However, we recommend that you
do not assign multiple task profiles to a team because it may cause confusion in determining the
ultimate access rights of that team.

6.2 Member Access Profile Setup

You must define a member access profile for all secured dimensions of an application. If no profile is
defined for a secured dimension, the users assigned to the profile do not have access rights to that
application. If you partially define access, for example, for one of two secured dimensions, users are
still denied access to the application.

12/12/2008 PUBLIC 25/40

6 Authorizations
6.2 Member Access Profile Setup

After creating a Member Access profile, you assign it to users as needed.

Features
General Rules for Member Access Security
Member access security is based on the following rules:
n By default, no one other than the system administrator has access to members. Member access
must be explicitly granted.
n A user can be assigned member access individually and through team membership.
n Member access privileges flow down the hierarchy, from parent to child.
n When in conflict, the least restrictive member access profile is applied.
n In case of a conflict between individual and team member access, the least restrictive setting wins.
n Denial of member access can only be set at the user level.
Defining Access to Members with Children
When defining access to a secured dimension that has one or more defined hierarchies, security is
applied to the member and all its children. For example, if you grant access to a member that has 10
children, users with access to the parent member also have access to the 10 children.
You can restrict a child member of a parent with ‘Read’ or ‘Read and Write’ access by creating a
separate member access profile and assigning the child ‘Denied’ access. Alternatively, you can use the
same member access profile as the parent, but create a new line item for the child.
Creating Member Access Profiles
You can add member access profiles from the Admin Console by choosing Security Member Access
Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile
assistant. Be sure to choose Apply to process the new member access profiles
Modifying Member Access Profiles
You can modify an existing member access profile by selecting Modify the selected profile definition in the
Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.
Resolving Member Access Profile Conflicts
Since you can define member access by individual users and by teams, there may be situations in which
conflicts occur. The following topics describe some potential member access conflict scenarios and
the rules the system applies to resolve those conflicts. These scenarios are based on the assumption
that the Entity dimension is a secured dimension and has the following hierarchical structure:
Hierarchy Members
H1 WorldWide1 Sales SalesAsia SalesKorea
SalesJapan
ESalesAsia
SalesEurope SalesItaly
SalesFrance
ESalesEurope
H2 WorldWide2 Asia Korea SalesKorea

26/40 PUBLIC 12/12/2008

6 Authorizations
6.2 Member Access Profile Setup

Japan SalesJapan
eAsia ESalesAsia
Europe Italy SalesItaly
France SalesFrance
eEurope ESalesEurope

Conflict Between Profiles

When there is a conflict between member access profiles, the least restrictive profile is always applied.
This section describes three different scenarios where there are conflicts between profiles.

Example
Scenario 1:
n User1 belongs to Team1 and Team2.
n There are two member access profiles: ProfileA and ProfileB.
n ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileB Read Only Entity SalesAsia

In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As
a result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and
SalesItaly.

Example
Scenario 2:
n User1 belongs to Team1 and Team2
n There are two member access profiles: ProfileA and ProfileB.
n ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileB Read & Write Entity SalesAsia

In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for

12/12/2008 PUBLIC 27/40

6 Authorizations
6.2 Member Access Profile Setup

the child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to
send data to SalesKorea, but not to SalesItaly.

Example
Scenario 3:
n User1 does not belong to any team.
n There are two member access profiles: ProfileA and ProfileB.
n Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Denied Entity SalesAsia
ProfileB Read Only Entity Sales

In this case, the least restrictive profiles between the two, ProfileB (Read Only), is applied. As a
result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea and
SalesItaly.

Conflict Between Parent and Child Members

Authority always flows down the hierarchy from parent to child. Child members always have the
access level of their parents, unless otherwise specified.

Example
Scenario 1:
n User1 belongs to Team1 and ProfileA is assigned to Team1.
n Two levels of member access profiles are defined for ProfileA.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileA Read Only Entity SalesAsia

In this case, the Read & Write access of the Sales member flows down to its children. This flow
is interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s
access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not to
SalesKorea.

28/40 PUBLIC 12/12/2008

6 Authorizations
6.2 Member Access Profile Setup

Example
Scenario 2:
n User1 belongs to Team1 and ProfileA is assigned to Team1.
n ProfileA has two levels of member access profiles.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileA Read & Write Entity SalesAsia

In this case, the Read Only access of the Sales member flows down to its children. This flow is
interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s access
flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not to SalesItaly.

Conflict When the Same Member Belongs to Different Hierarchies

When a member belongs to different hierarchies, and there is a conflict in member access, the most
restrictive access is applied.

Example
Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described
in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity WorldWide1
ProfileB Read & Write Entity WorldWide2

In this case, ProfileB determines User1’s access. As a result, User1 is able to send data to SalesKorea,
even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).

12/12/2008 PUBLIC 29/40

This page is intentionally left blank.
7 Network and Communication Security

7 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized
access. A well-defined network topology can eliminate many security threats based on software flaws
(at both the operating system and application level) or network attacks such as eavesdropping. If users
cannot log on to your application or database servers at the operating system or database layer, then
there is no way for intruders to compromise the machines and gain access to the backend system’s
database or files. Additionally, if users are not able to connect to the server LAN (local area network),
they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for Business Planning and Consolidation is based on the topology used by the
SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the
SAP NetWeaver Security Guide also apply to Business Planning and Consolidation. Details that
specifically apply to Business Planning and Consolidation are described in the following topics:
n Communication Channel Security
This topic describes the communication paths and protocols used by the application.
n Network Security
This topic describes the recommended network topology for the application. It shows the
appropriate network segments for the various client and server components and where to use
firewalls for access protection. It also includes a list of the ports needed to operate the application.
For more information, see the following sections in the SAP NetWeaver Security Guide:
n Network and Communication Security
n Security Guides for Connectivity and Interoperability Technologies

7.1 Communication Channel Security

The table below shows the communication paths used by the application, the protocol used for the
connection, and the type of data transferred.

12/12/2008 PUBLIC 31/40

7 Network and Communication Security
7.2 Network Security

Communication Paths

Communication Path Protocol Used Type of Data Transferred Data Requiring Special
Protection
Client and .NET web/app HTTP/HTTPS Client requests and server Passwords
server responses Proprietary business
financial and
performance metrics
.NET web/app server and RFC Client requests and server Passwords,
NetWeaver server responses Proprietary business
financial and
performance metrics
.NET web/app server TCP/IP Windows native behavior Proprietary business
and Windows Active financial and
Directory performance metrics
NetWeaver application Details are covered in the SAP NetWeaver Security Guide.
server and NetWeaver
databases
Client and Windows TCP/IP Windows native behavior Proprietary business
Active Directory financial and
(Optional) performance metrics

Note
Communication with Windows Active Directory is done by the native Windows Operation System.
We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic
authentication to access the .NET web/application server.

7.2 Network Security

You can implement the following components of the application in different network segments:
n Client
n .NET Web/application server
n NetWeaver application server
We recommend any of the following three environments, based on your on your technical
requirements.
n All components in one network zone (LAN)
n Client in Internet zone, while all server side components (.NET application server and NetWeaver
tier) are in one zone (LAN)
n Client in Internet zone, .NET application server in DMZ, and the NetWeaver tier in a different zone

32/40 PUBLIC 12/12/2008

7 Network and Communication Security
7.2 Network Security

Note
The NetWeaver tier includes a database server and an optional BIA, therefore we support a
NetWeaver application server, and a NetWeaver database and BIA in a different network zone.

12/12/2008 PUBLIC 33/40

This page is intentionally left blank.
8 Data Storage Security

8 Data Storage Security

In Business Planning and Consolidation, user data is stored in the Active Directory, and authorization
data is stored in the SAP NetWeaver database.
Some configuration data is loaded upon system installation, but most business data is loaded
by administrators and end users. The configuration file is located on the .NET server tier in
BPC\Websrvr\web\ServerConfiguration.config. The system is automatically configured to provide a substantial
level of data protection, but you should also make sure that no one has access to the service accounts
defined during the installation.
The system uses a client-side file system to store metadata and template data temporarily because
read, write, delete, change, and query access for existing data may be required. This data is stored in
the local file system of the client within the MyDocuments\OutlookSoft directory. We recommend that
only the end user and the Administrator have access to this directory.
Since Business Planning and Consolidation has a Web browser as its user interface, it uses cookies to
store front-end metadata and configuration information during individual user sessions. This data
requires no special protection, and no special measures to protect the cookies are necessary.

12/12/2008 PUBLIC 35/40

This page is intentionally left blank.
9 Dispensable Functions that Affect Security

9 Dispensable Functions that Affect

Security

Business Planning and Consolidation uses the following system resources:

n Client tier — File system, system components, operating system
n .NET server tier — System components, operating system
n ABAP server — System components, operating system
There are no administration tools or installation tools that can be deleted after installation.
An installation contains a default application set named ApShell. This is the only component you can
remove after you complete your own application set development.
Server Installation
For the server installation, all functional modules are necessary and are used at runtime.
Client Installation
A Business Planning and Consolidation installation can include a Microsoft Office client and an
Administration client for different kinds of end users. Users can install one or both.

12/12/2008 PUBLIC 37/40

This page is intentionally left blank.
10 Trace and Log Files

10 Trace and Log Files

The system provides log files on both the client side and the .NET server side. The client side log is
located in My Documents\BPC\Logging. The server log is located in (BPC install dir)\Logging. Both logs are
named logmm-dd-yyyy.txt, where mm-dd-yyyy is the date to which that log applies. The system
creates a new log each day.

12/12/2008 PUBLIC 39/40

 SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.