Académique Documents
Professionnel Documents
Culture Documents
Target Audience
n Technical Consultants
n System Administrators
PUBLIC
Document version: 1.1 ‒ 12/12/2008
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com
© Copyright 2008 SAP AG. All rights reserved. MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
No part of this publication may be reproduced or
NetWeaver, and other SAP products and services mentioned
transmitted in any form or for any purpose without the
herein as well as their respective logos are trademarks or
express permission of SAP AG. The information contained
registered trademarks of SAP AG in Germany and in several
herein may be changed without prior notice.
other countries all over the world. All other product
Some software products marketed by SAP AG and its
and service names mentioned are the trademarks of their
distributors contain proprietary software components of
respective companies. Data contained in this document
other software vendors.
serves informational purposes only. National product
Microsoft, Windows, Outlook, and PowerPoint are specifications may vary.
registered trademarks of Microsoft Corporation. These materials are subject to change without notice.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, These materials are provided by SAP AG and its affiliated
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, companies (“SAP Group”) for informational purposes
pSeries, xSeries, zSeries, System i, System i5, System p, only, without representation or warranty of any kind, and
System p5, System x, System z, System z9, z/OS, AFP, SAP Group shall not be liable for errors or omissions with
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, respect to the materials. The only warranties for SAP Group
i5/OS, POWER, POWER5, POWER5+, OpenPower and products and services are those that are set forth in the
PowerPC are trademarks or registered trademarks of IBM express warranty statements accompanying such products
Corporation. and services, if any. Nothing herein should be construed as
Adobe, the Adobe logo, Acrobat, PostScript, and Reader constituting an additional warranty.
are either trademarks or registered trademarks of Adobe
This document was created using stylesheet 2007-12-10
Systems Incorporated in the United States and/or other
(V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON
countries.
6.5.2 from Michael Kay (http://saxon.sf.net/), XSLT version
Oracle is a registered trademark of Oracle Corporation.
1.
UNIX, X/Open, OSF/1, and Motif are registered trademarks
of the Open Group.
Disclaimer
Citrix, ICA, Program Neighborhood, MetaFrame,
Some components of this product are based on Java™. Any
WinFrame, VideoFrame, and MultiWin are trademarks or
code change in these components may cause unpredictable
registered trademarks of Citrix Systems, Inc.
and severe malfunctions and is therefore expressively
HTML, XML, XHTML and W3C are trademarks or registered
prohibited, as is any decompilation of these components.
trademarks of W3C®, World Wide Web Consortium,
Any Java™ Source Code delivered with this product is
Massachusetts Institute of Technology.
only to be used by SAP’s Support Services and may not be
Java is a registered trademark of Sun Microsystems, Inc.
modified or altered in any way.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
Example Arrows separating the parts of a navigation path, for example, menu options
Example
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the
documentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example n Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works
Example n Output on the screen following a user action, for example, messages
n Source code or syntax quoted directly from a program
n File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
Caution
Before you start the implementation, make sure you have the latest version of this document. You
can find the latest version at the following location: http://service.sap.com/securityguide.
The following table provides an overview of the most important document changes.
Version Date Description
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . 19
6.1 Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . 19
6.2 Member Access Profile Setup . . . . . . . . . . . . . . . . . . 25
1 Introduction
This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the
software life cycle, whereby the Security Guides provide information that is relevant for all life cycle
phases.
This section provides an overview of the network topology and communication protocols used by
the application.
n Data Storage Security
This section describes the security aspects involved with saving data used by the application.
n Dispensable Functions with Impact on Security
This section describes which functions are not absolutely necessary and how you can deactivate
them.
n Trace and Log Files
This section provides a link to where trace and log files are located.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
4 Security Overview
This section contains information about user administration and authentication in the following
topics:
n Active Directory Domain Considerations
n User Setup
n Team Setup
When a user ID is added to the system with a domain name (for example, BPC\hsmith), the system
assumes the user ID is being maintained within Active Directory Services. (If not on a domain, users
must be valid Windows users on the .NET application server.) When the user logs on, the system
validates the password against Active Directory Services.
Note
In Server Manager, you can specify specific domains that are being used for users. In
addition, filters can be applied to those domains to select specific users from them. See the
http://service.sap.com/instguidescpm-bpc 7.0, version for SAP NetWeaver SAP BPC 7.0 Server
Manager Guide .
When you are adding new users from a domain to the system, you have the ability to select one of
the user-defined groups, and customize it further, if required.
When setting up users on the system, take the following considerations into account:
n We recommend that all users come from a single domain.
n We recommend that all users have access to the domain the server is on. If they do not have direct
access, the domain must be trusted between the server and user domain.
n The installation user must have rights to browse the users from all user domains.
You can add new users and assign them to teams, task profiles and member access profiles.
If you are not using the default task or member access profiles and have not set them up yet, you
might want to define them before adding users. You might also want to create teams, so you can
assign the newly added users to the appropriate teams.
Alternatively, when you define the teams and profiles, you can assign users to them at that time.
Features
Adding Users
You can add users in the Admin Console. To do so, choose Security Users , then expand the
domain name. In the Manage Users action pane, click Add New User, then enter the required data to
specify the domain, e-mail address, teams, task profiles, and member access profiles.
Modifying Users
You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a
user. In the Manage Users Options task pane, choose Modify the selected user’s definition. Follow the prompts
in the assistant.
Note
You can enable the server to be Sarbanes-Oxley compliant if you want all clients
that access the server to challenge users for a user name and password. See the
http://service.sap.com/instguidescpm-bpc 7.0, version for SAP NetWeaver SAP BPC 7.0 Server
Manager Guide .
You can set up and maintain teams of users. When you assign security to teams, the security works
collectively on the team members. This allows you to easily maintain security for many users at
the same time.
Features
Adding teams
You can define teams to assign security rules to a set of users, rather than assigning security rules to
each individual user. Teams are not required to successfully process security.
To add a team, in the Admin Console click Security Teams Add New Team , then follow the
prompts in the assistant.
Note
You can designate one team leader for each team. The team leader can save templates to the team
folder on the server. For more information about the ManageTemplate task, see Task Profile Setup
[page 19].
Modifying teams
You can modify the definition of an existing team. When modifying a team, you can change
everything except the team name. To modify a team definition, in the Admin Console click
Security Teams . Select the team then click Modify the selected team’s definition. Follow the prompts
in the assistant to revise the team definition, revise selected team members, or assign different task
and member access profiles.
6 Authorizations
A task profile determines what type of activities or tasks a user or a team of users can perform in
Business Planning and Consolidation. After creating a task profile, you assign it to one or more
users. You can add tasks to a profile as needed.
Features
Administrator Roles
A role is a predefined set of administration tasks. If you want to assign a user one or more
administration tasks, you must assign them one of the predefined administrator roles. Without one of
these role assignments, the user cannot perform any administrator tasks.
The three administrator roles are:
n System Admin
n Primary Admin
n Secondary Admin
Default task rights
A System Administrator (System Admin), by default, has the following task rights:
n Appset
n DefineSecurity
A Primary Administrator (Primary Admin), by default, has the following task rights:
n Application
n BusinessRules
n DefineSecurity
n Dimensions
n Lockings
n ManageAudit
n ManageComments
n ManageContentLibrary
n ManageDistributor
n ManageLiveReport
n ManageTemplates
n Misc
n UpdateToCompanyFolder
n WebAdmin
A Secondary Administrator (Secondary Admin), by default, has the following task rights:
n Dimensions
Administration Task Profile Descriptions
The following table describes the available tasks in the Administration interface:
Task Can be assigned to Description
Application Only the primary administrator Can create, modify, and delete
(default) applications in this application
set, make changes to dimensions
and add dimensions, and optimize
applications.
Appset System administrator, by default, Can create new application sets,
but can be assigned to primary modify application sets, and set
administrator application set parameters (in Web
Admin Tasks).
Business Rules Primary administrator, by default, Define business rules.
but can be assigned to secondary
administrator
Dimension Only primary and secondary Create, modify, process, and delete
administrators (default) dimensions and members.
Lockings Primary administrator, by default, Define and edit work status codes.
but can be assigned to secondary
administrator
Misc Primary administrator, by default, View application set status.
but can also be assigned to system
and secondary administrators.
Note
The team leader can save objects
to the team folder without this
task. See Team Setup [page 16].
SubmitData Anyone Can access the build input
schedules and send data. Can
use spread, weight, and trend
options. Can post documents with
application context to the Content
Library.
Caution
We recommend you restrict access
of this task to a few privileged
users.
You must define a member access profile for all secured dimensions of an application. If no profile is
defined for a secured dimension, the users assigned to the profile do not have access rights to that
application. If you partially define access, for example, for one of two secured dimensions, users are
still denied access to the application.
Features
General Rules for Member Access Security
Member access security is based on the following rules:
n By default, no one other than the system administrator has access to members. Member access
must be explicitly granted.
n A user can be assigned member access individually and through team membership.
n Member access privileges flow down the hierarchy, from parent to child.
n When in conflict, the least restrictive member access profile is applied.
n In case of a conflict between individual and team member access, the least restrictive setting wins.
n Denial of member access can only be set at the user level.
Defining Access to Members with Children
When defining access to a secured dimension that has one or more defined hierarchies, security is
applied to the member and all its children. For example, if you grant access to a member that has 10
children, users with access to the parent member also have access to the 10 children.
You can restrict a child member of a parent with ‘Read’ or ‘Read and Write’ access by creating a
separate member access profile and assigning the child ‘Denied’ access. Alternatively, you can use the
same member access profile as the parent, but create a new line item for the child.
Creating Member Access Profiles
You can add member access profiles from the Admin Console by choosing Security Member Access
Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile
assistant. Be sure to choose Apply to process the new member access profiles
Modifying Member Access Profiles
You can modify an existing member access profile by selecting Modify the selected profile definition in the
Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.
Resolving Member Access Profile Conflicts
Since you can define member access by individual users and by teams, there may be situations in which
conflicts occur. The following topics describe some potential member access conflict scenarios and
the rules the system applies to resolve those conflicts. These scenarios are based on the assumption
that the Entity dimension is a secured dimension and has the following hierarchical structure:
Hierarchy Members
H1 WorldWide1 Sales SalesAsia SalesKorea
SalesJapan
ESalesAsia
SalesEurope SalesItaly
SalesFrance
ESalesEurope
H2 WorldWide2 Asia Korea SalesKorea
Japan SalesJapan
eAsia ESalesAsia
Europe Italy SalesItaly
France SalesFrance
eEurope ESalesEurope
Example
Scenario 1:
n User1 belongs to Team1 and Team2.
n There are two member access profiles: ProfileA and ProfileB.
n ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileB Read Only Entity SalesAsia
In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As
a result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and
SalesItaly.
Example
Scenario 2:
n User1 belongs to Team1 and Team2
n There are two member access profiles: ProfileA and ProfileB.
n ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileB Read & Write Entity SalesAsia
In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for
the child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to
send data to SalesKorea, but not to SalesItaly.
Example
Scenario 3:
n User1 does not belong to any team.
n There are two member access profiles: ProfileA and ProfileB.
n Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile Access Dimension Member
ProfileA Denied Entity SalesAsia
ProfileB Read Only Entity Sales
In this case, the least restrictive profiles between the two, ProfileB (Read Only), is applied. As a
result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea and
SalesItaly.
Example
Scenario 1:
n User1 belongs to Team1 and ProfileA is assigned to Team1.
n Two levels of member access profiles are defined for ProfileA.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read & Write Entity Sales
ProfileA Read Only Entity SalesAsia
In this case, the Read & Write access of the Sales member flows down to its children. This flow
is interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s
access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not to
SalesKorea.
Example
Scenario 2:
n User1 belongs to Team1 and ProfileA is assigned to Team1.
n ProfileA has two levels of member access profiles.
The member access profiles for the ProfileA are described in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity Sales
ProfileA Read & Write Entity SalesAsia
In this case, the Read Only access of the Sales member flows down to its children. This flow is
interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsia’s access
flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not to SalesItaly.
Example
Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described
in the following table:
Member access profile Access Dimension Member
ProfileA Read Only Entity WorldWide1
ProfileB Read & Write Entity WorldWide2
In this case, ProfileB determines User1’s access. As a result, User1 is able to send data to SalesKorea,
even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).
Your network infrastructure is important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized
access. A well-defined network topology can eliminate many security threats based on software flaws
(at both the operating system and application level) or network attacks such as eavesdropping. If users
cannot log on to your application or database servers at the operating system or database layer, then
there is no way for intruders to compromise the machines and gain access to the backend system’s
database or files. Additionally, if users are not able to connect to the server LAN (local area network),
they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for Business Planning and Consolidation is based on the topology used by the
SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the
SAP NetWeaver Security Guide also apply to Business Planning and Consolidation. Details that
specifically apply to Business Planning and Consolidation are described in the following topics:
n Communication Channel Security
This topic describes the communication paths and protocols used by the application.
n Network Security
This topic describes the recommended network topology for the application. It shows the
appropriate network segments for the various client and server components and where to use
firewalls for access protection. It also includes a list of the ports needed to operate the application.
For more information, see the following sections in the SAP NetWeaver Security Guide:
n Network and Communication Security
n Security Guides for Connectivity and Interoperability Technologies
The table below shows the communication paths used by the application, the protocol used for the
connection, and the type of data transferred.
Communication Paths
Communication Path Protocol Used Type of Data Transferred Data Requiring Special
Protection
Client and .NET web/app HTTP/HTTPS Client requests and server Passwords
server responses Proprietary business
financial and
performance metrics
.NET web/app server and RFC Client requests and server Passwords,
NetWeaver server responses Proprietary business
financial and
performance metrics
.NET web/app server TCP/IP Windows native behavior Proprietary business
and Windows Active financial and
Directory performance metrics
NetWeaver application Details are covered in the SAP NetWeaver Security Guide.
server and NetWeaver
databases
Client and Windows TCP/IP Windows native behavior Proprietary business
Active Directory financial and
(Optional) performance metrics
Note
Communication with Windows Active Directory is done by the native Windows Operation System.
We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic
authentication to access the .NET web/application server.
You can implement the following components of the application in different network segments:
n Client
n .NET Web/application server
n NetWeaver application server
We recommend any of the following three environments, based on your on your technical
requirements.
n All components in one network zone (LAN)
n Client in Internet zone, while all server side components (.NET application server and NetWeaver
tier) are in one zone (LAN)
n Client in Internet zone, .NET application server in DMZ, and the NetWeaver tier in a different zone
Note
The NetWeaver tier includes a database server and an optional BIA, therefore we support a
NetWeaver application server, and a NetWeaver database and BIA in a different network zone.
In Business Planning and Consolidation, user data is stored in the Active Directory, and authorization
data is stored in the SAP NetWeaver database.
Some configuration data is loaded upon system installation, but most business data is loaded
by administrators and end users. The configuration file is located on the .NET server tier in
BPC\Websrvr\web\ServerConfiguration.config. The system is automatically configured to provide a substantial
level of data protection, but you should also make sure that no one has access to the service accounts
defined during the installation.
The system uses a client-side file system to store metadata and template data temporarily because
read, write, delete, change, and query access for existing data may be required. This data is stored in
the local file system of the client within the MyDocuments\OutlookSoft directory. We recommend that
only the end user and the Administrator have access to this directory.
Since Business Planning and Consolidation has a Web browser as its user interface, it uses cookies to
store front-end metadata and configuration information during individual user sessions. This data
requires no special protection, and no special measures to protect the cookies are necessary.
The system provides log files on both the client side and the .NET server side. The client side log is
located in My Documents\BPC\Logging. The server log is located in (BPC install dir)\Logging. Both logs are
named logmm-dd-yyyy.txt, where mm-dd-yyyy is the date to which that log applies. The system
creates a new log each day.