sap supplier relationship management powered by sap …

Security GuideDocument version: 1.2 – 2015-11-06

SAP Supplier Relationship Management powered by SAP NetWeaver®Using SAP SRM Server 7.14

PUBLIC

Document History

CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the

latest version at the following location: service.sap.com/securityguide .

The following table provides an overview of the most important document changes:

Table 1

Version Date Description

1.2 2015-11-06 Updated and enhanced for SAP enhancement package 4 for SAP SRM 7.0.

2

PUBLIC© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.

SAP Supplier Relationship Management powered by SAP NetWeaver®Document History

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguide

Content

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.1 Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Why Is Security Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1 Fundamental Security Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Technical System Landscape Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.1 Overview of the Business Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2 Software Component Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant

Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 User Administration and Authentication Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.1 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.2 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.3 Integration into Single Sign-On Landscapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6 Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.1 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.2 Business Add-In to Restrict Visibility of Product Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.3 RFC Authorization Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

8 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338.3 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

SAP Supplier Relationship Management powered by SAP NetWeaver®Content

PUBLIC© Copyright 2016 SAP SE or an SAP affiliate company.

All rights reserved. 3

9 Internet Communication Framework Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

10 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

11 Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

12 Auditing and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

13 Services for Security Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

14 DATA Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4614.1 Deletion of Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4714.2 Read Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

15 Other Security Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5015.1 Payment Card Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5015.2 Credit Card Usage Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5015.3 Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5115.4 Masked/Unmasked Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5215.5 Deleting Stored Credit Card Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

16 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5316.1 Data Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5316.2 Virus Checking of Document Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5416.3 Additional Related Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5416.4 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

A Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4


SAP Supplier Relationship Management powered by SAP NetWeaver®Content

1 Introduction

SAP SRM runs on multiple NetWeaver releases, but in this document we only refer to the latest release

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

1.1 Target Audience

● Technology consultants

● System administrators

This document is not included as part of the installation guides, technical operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.

1.2 Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the SAP Supplier Relationship Management (SAP SRM) solution. To assist you in securing SAP SRM, we provide this Security Guide.

1.3 About This Document

This security guide provides an overview of the security-relevant information that applies to SAP Supplier Relationship Management (SAP SRM).

In many cases, the required information has already been provided in other security guides and in the configuration information or installation guides. In these cases, we have provided a reference to the appropriate guides.

Security in the context of an SAP SRM solution comprises the following aspects:

● User authentication

● Support of Single Sign-On

● Administration and checking of user authorizations to prevent unauthorized access to saved data

SAP Supplier Relationship Management powered by SAP NetWeaver®Introduction



● Secure data transfer between users and the SAP SRM application components, especially in the case of browser-based access using the Internet

● General access control, including protection of the system against unauthorized external access

● Safeguarding of data against unauthorized access when business data is being exchanged between SAP SRM and external systems, especially in the case of data exchange with supplier systems using the Internet

The individual components of the SAP SRM solution are based on the standard technology of SAP NetWeaver, like SAP NetWeaver Web Application Server, ABAP Web Dynpro, and SAProuter. This means that only the official precepts of the SAP security strategy are used. The standard tools and mechanisms of the SAP NetWeaver platform are used.

This security guide focuses on specific SAP SRM implementations – the standard case is covered by the security guides of the respective basis technologies.

For more a more detailed overview of business scenarios, including graphical representations, see the master

guide at service.sap.com/instguides SAP Business Suite Applications SAP SRM SAP SRM Server 7.14 .

Overview of the Main Sections

The security guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document, and references to other security guides that build the foundation for this security guide.

● Technical System Landscape Information

This section provides an overview of the technical components and communication paths that are used by SAP SRM.

● Security Aspects of Data, Data Flow, and Processes

This section provides an overview of security aspects involved throughout the most-widely used processes within SAP SRM.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

○ Recommended tools to use for user management.

○ User types that are required by SAP SRM.

○ Standard users that are delivered with SAP SRM.

○ Overview of the user synchronization strategy, if several components or products are involved.

○ Overview of how integration into Single Sign-On environments is possible.

● Authorizations

This section provides an overview of the authorization concept that applies to SAP SRM.

● Session Security Protection

This section provides information about activating secure session management, which prevents javascript or plug-ins from accessing the SAP logon ticket or security session cookie(s).

● Network and Communication Security

This section provides an overview of the communication paths used by SAP SRM and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at network level.

● Internet Communication Framework Security

6



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstguides

This section provides an overview of the Internet Communication Framework (ICF) services that are used by SAP SRM.

● Data Storage Security

This section provides an overview of any critical data that is used by SAP SRM and the security mechanisms that apply.

● Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are used with SAP SRM.

● Dispensable Functions with Impacts on Security

This section provides an overview of functions that have impacts on security and can be disabled or removed from the system.

● Enterprise Services Security

This section provides an overview about the security aspects that apply to the enterprise services delivered with SAP SRM.

● Security-Relevant Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant information so that you can, for example, reproduce activities if a security breach occurs.

● Services for Security Lifecycle Management

This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.

● Appendix

This section provides references to further information.




2 Before You Start

2.1 Fundamental Security Guides

SAP Supplier Relationship Management (SAP SRM) is built on the technology of SAP NetWeaver. Therefore, the corresponding security guides also apply to the SAP SRM solution. The most-relevant sections or specific restrictions are indicated in the following table:

Fundamental Security GuidesTable 2

Scenario, Application or Component Security Guide Most-Relevant Sections

SAP NetWeaver Security Guide For more information about the SAP Netweaver Security Guide, see SAP Library for SAP NetWeaver on SAP Help

Portal at help.sap.com/netweaver SAP NetWeaver

7.3 EHP1 Application Help SAP Library Security

Guide

Introduction to Security with the SAP NetWeaver PlatformTable 3

Topic See

Technical System Landscape For more information about the Technical System Landscape, see SAP Library for SAP NetWeaver on SAP Help



Guide Technical System Landscape.

User Administration and Authentication For more information about User Administration and Authentication, see SAP Library for SAP NetWeaver on SAP

Help Portal at help.sap.com/netweaver SAP

NetWeaver 7.3 EHP1 Application Help SAP Library

Security Guide User Administration and Authentication.

Network and Communication Security For more information about Network and Transport Layer Security, see SAP Library for SAP NetWeaver on SAP Help



Guide Network and Communication Security.

Secure Programming Secure Programming - ABAP

8


SAP Supplier Relationship Management powered by SAP NetWeaver®Before You Start

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnetweaver%20




Security Guides for SAP NetWeaver According to Usage Types

Table 4

Usage Type See

SAP NetWeaver Application Server ABAP Security Guide For more information about the SAP NetWeaver Application Server ABAP Security Guide, see SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver

SAP NetWeaver 7.3 EHP1 Application Help SAP

Library Security Guide Security Guides for the AS

ABAP .

SAP NetWeaver Application Server Java Security Guide For more information about the SAP NetWeaver Application Server Java Security Guide, see SAP Library for SAP



Library Security Guide Security Guides for the AS

JAVA .

Virus Protection and SAP GUI Integrity For more information about Virus Protection and SAP GUI Integrity, see SAP Library for SAP NetWeaver on SAP Help



Guide Virus protection and SAP GUI Integrity Checks .

Security Guides for Enterprise Portal (EP) and EP Core Application

For more information about Security Guides for Enterprise Portal (EP) and EP Core Application, see SAP Library for SAP



Library Security Guide Enterprise Portal (EP) and EP

Core .

Security Guide for SAP NetWeaver BI/BW For more information about the Security Guide for SAP NetWeaver BI, see SAP Library for SAP NetWeaver on SAP



Security Guide SAP Business Warehouse .

SAP NetWeaver Process Integration Security Guide For more information about the Security Guide for SAP NetWeaver BI, see SAP Library for SAP NetWeaver on SAP



Security Guide SAP Process Integration Security Guide. .

Security Guides for Standalone Engines

Table 5

Engine See

Search and Classification TREX Security Guide For more information about the Search and Classification TREX Security Guide, see SAP Library for SAP NetWeaver on

SAP Help Portal at help.sap.com/netweaver SAP











Engine See


Security Guide Search and Classification (TREX) Security

Guide. .

For a complete list of available SAP security guides, see SAP Service Marketplace at service.sap.com/

securityguide .

2.2 Additional Information

For more information about specific topics, see the Quick Links as shown in the table below:

Table 6

Content Quick Links on the SAP Service Marketplace or SAP Developer Network (SDN)

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes support.sap.com//notes

Released platforms service.sap.com/platforms

Network security service.sap.com/securityguide

SAP Solution Manager support.sap.com/solutionmanager

SAP NetWeaver sdn.sap.com/irj/sdn/netweaver

10





http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurity


http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2F%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fplatforms


http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsolutionmanager

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fnetweaver

3 Technical System Landscape Information

3.1 Technical System Landscape

SAP Supplier Relationship Management (SAP SRM) supports various presentation technologies on which the individual SAP SRM components run. They are used for user access and data transfer. The architecture, determined by the respective presentation technology, is crucial for the security of an SAP SRM system. The architecture determines the security concept.

The figure below shows an overview of the technical system landscape for SAP SRM.

Figure 1: Technical System Landscape for SAP SRM

For more information about the technical system landscape, see the resources listed in the table below.

Table 7

Topic Guide/Tool Quick Link to the SAP Service Marketplace or SDN

Technical description for SAP SRM and the underlying components such as SAP NetWeaver

Master Guide service.sap.com/instguides

High availability High Availability for SAP Solutions sdn.sap.com/irj/sdn/ha

Technical landscape design See applicable documents sdn.sap.com/irj/sdn/landscapedesign

Security See applicable documents sdn.sap.com/irj/sdn/security

SAP Supplier Relationship Management powered by SAP NetWeaver®Technical System Landscape Information




http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fha

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Flandscapedesign

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fsecurity

3.2 Architecture

The architecture of an SAP Supplier Relationship Management (SAP SRM) system landscape is dependent on the security measures taken. These, in turn, are determined by the data to be transferred and the data channels.

In an SAP SRM system landscape, there are two types of channels for data exchanges. The following require careful attention in terms of provision of security during data exchange using external interfaces:

● Exchange of data using external user interfaces

● Exchange of data and documents using external system interfaces

In both cases, the SAP SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimited by an internal and an external firewall. Within the DMZ there is an application gateway.

RecommendationWe recommend that you use SAP Web Dispatcher. URLs and ports for the systems behind the internal firewall can be configured in any way and are not known to users outside of the external firewall.

In this way, the SAP SRM security concept follows the general SAP security standards that are used on a worldwide basis.

For more information about Security Information SAP Web Dispatcher, see SAP Library for SAP NetWeaver on

SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application Help SAP Library Security Information .

Exchange of Data Using External User Interfaces

Data exchange using external user interfaces occurs in SAP SRM in the following ways:

● Data exchange using the application gateway, using either ABAP Web Dynpro Applications or Business Server Pages (BSP) technology

BSP is used for Supplier Self-Services (SUS) and Registration of Suppliers (ROS)

● Data exchange using the Java applet Live Auction Cockpit Web Presentation Server (LACWPS), which is also available using the application gateway

Data Exchange Using the Application Gateway for Applications with Web Front Ends

The following SAP SRM scenarios, where the Web front end is based on ABAP Web Dynpro or BSP technology, work on this principle:

● Self-Service Procurement

● Plan-Driven Procurement

● Service Procurement

● Catalog Content Management

● Analytics

● Strategic Sourcing (with RFx, but without LACWPS)

● Operational Contract Management

The following figure shows the basic representation of the communication paths of the SAP SRM components to the outside, using the application gateway:

Figure 2: Basic Representation of the Communication Paths of the SAP SRM Components to the Outside Using the Application Gateway

12



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnetweaver

The SAP Web Dispatcher functions as an application gateway and is used as a switch between the Internet and your SAP SRM Server system, which consists of one or more SAP NetWeaver Application Servers. This is why you have only one point of access for HTTP(S) requests in your system. SAP Web Dispatcher also balances the load so that the request is always sent to the server with the greatest capacity.

For more information about Web Dynpro ABAP, see SAP Library for SAP NetWeaver on SAP Help Portal at

help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application Help SAP Library Security Information .

For more information about Security Information SAP Web Dispatcher, see SAP Library for SAP NetWeaver on

SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application Help SAP LibrarySecurity Information .

SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) using the internal firewall of the DMZ.

In this way, the SAP SRM security concept, like all other SAP solutions, is entirely based on the general SAP security standards.

The following figure shows the underlying architecture of the system landscape:

System Landscape Architecture

Figure 3: Underlying Architecture of the System Landscape

For external access, a landscape as illustrated in figure 2 is recommended. The landscape enables access constraints to the external-facing portal and Web Dynpro applications using a Web dispatcher configuration.

For more information, see the Portal Security Guide in SAP Library for SAP NetWeaver on SAP Help Portal at

help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application Help SAP Library Security Information

Data Exchange Using the Java Applet Live Auction Cockpit Web Presentation Server (LACWPS) 6.0In the SAP SRM business scenario Strategic Sourcing, a Java applet is loaded in the browser of an external supplier for live auctions. This is not the case for auctions using the sourcing application in SAP Bidding Engine.







The Java applet communicates with the server part of LACWPS on the J2EE Engine 7.3 using the application gateway.

The following figure shows the basic representation of the communication paths of the SAP SRM components including the LACWPS 6.0 to the outside:

Figure 4: Basic Representation of the Communication Paths of the SAP SRM Components Including LACWPS 6.0 to the Outside

The ABAP Web Dynpro technology allows external suppliers in the Strategic Sourcing business scenario to participate in RFXs that are created and evaluated using SAP Bidding Engine. Auctions can be converted into live auctions and are then processed in the LACWPS.

LACWPS is a Java component on presentation level whose runtime environment is the J2EE Engine of SAP Web AS 7.3.

LACWPS consists of a server part that runs on the J2EE Engine and a Java applet that is loaded into the browser of the user, where it is executed locally. The applet communicates with the server part using HTTP(S). The server communicates with SAP SRM Server using RFC. The Java applet for the Live Auction is digitally signed.

Communication between the Java applet and LACWPS occurs using the application gateway that exists in the DMZ, which is just like any HTTP(S)-based communication with the Internet. Communication with the Internet that occurs using HTTP(S) always makes use of the application gateway.

All security aspects are dealt with by SAP NetWeaver Application Server (SAP NetWeaver AS).

Exchange of Data Using External System Interfaces

The following figure shows how data in the form of documents is exchanged using external system interfaces:

Figure 5: Exchange of Data Using External System Interfaces

In an SAP SRM system landscape, SAP NetWeaver Process Integration (SAP NetWeaver PI) is used to transfer data in the form of documents using external system interfaces. SAP NetWeaver PI is again connected to the Internet using the SAP Web Dispatcher that is located in the DMZ.

All security aspects are dealt with by SAP Web Dispatcher and SAP NetWeaver PI.

For more information, see the SAP NetWeaver Process Integration Security Guide in SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application HelpSAP Library Security Information .

More Information

For more information about the technical system landscape, see the resources listed in the table below.

Table 8

Topic Guide/Tool Quick Link to SAP Service Marketplace or SDN

Technical description for SAP SRM and the underlying components such as SAP NetWeaver

Master Guide service.sap.com/instguides

14





Topic Guide/Tool Quick Link to SAP Service Marketplace or SDN

High availability (general) High Availability for SAP Solutions

www.sdn.sap.com/irj/sdn/ha

Technical landscape design See applicable documents www.sdn.sap.com/irj/sdn/landscapedesign

Security See applicable documents www.sdn.sap.com/irj/sdn/security




http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sdn.sap.com%2Firj%2Fsdn%2Fha

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sdn.sap.com%2Firj%2Fsdn%2Flandscapedesign

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sdn.sap.com%2Firj%2Fsdn%2Fsecurity

4 Security Aspects of Data, Data Flow, and Processes

4.1 Overview of the Business Scenarios

Before you start the security setup, you must decide which SAP Supplier Relationship Management (SAP SRM) components must be installed. You should also have carried out a rough sizing exercise to answer questions on the technical setup.

You can use this Security Guide to define the network structure, for example, firewalls, routers, load balancing, protocols used, and the required configuration of the components, as well as a concept for user administration.

In this section, you can find the Software Component Matrix and details of the components used for each business scenario.

NoteFor more information about the individual business scenarios, see the SAP SRM Master Guide on SAP Service

Marketplace at service.sap.com/instguides Installation and Upgrade Guides SAP Business Suite Applications SAP SRM SAP SRM Server 7.14 .

4.2 Software Component Matrix

For information about the software components of SAP Supplier Relationship Management (SAP SRM), see the

SAP SRM Master Guide on SAP Service Marketplace at service.sap.com/instguides SAP Business Suite Applications SAP SRM SAP SRM Server 7.14 .

4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

The following section provides an overview of the business scenarios and variants available in SAP enhancement package 4 for SAP Supplier Relationship Management 7.0 (SAP SRM 7.04) and a textual description of the relevant components:

● Operational Contract Management

● Service Procurement

○ Service Procurement (Classic)

○ Service Procurement External Staffing

● Strategic Sourcing

○ Strategic Sourcing with RFx

16


SAP Supplier Relationship Management powered by SAP NetWeaver®Security Aspects of Data, Data Flow, and Processes



○ Strategic Sourcing with Live Auction

● Plan-Driven Procurement

○ Plan-Driven Procurement with Plant Maintenance

○ Plan-Driven Procurement with Supplier Integration

● Catalog Content Management

● Self-Service Procurement

○ Self-Service Procurement (Classic)

○ Self-Service Procurement (Extended Classic)

● Analytics

○ Spend Analysis

○ Supplier Evaluation

● SAP SRM, Procurement for Public Sector (PPS)

● Supplier Self-Services as Part of Service Procurement and Plan-Driven Procurement

For detailed information about the business scenarios and business processes in SAP SRM, see the SAP SRM

master guide on SAP Service Marketplace at service.sap.com/instguides SAP Business Suite Applications SAP SRM SAP SRM Server 7.14 .

RecommendationBecause you cannot mix HTTP and HTTPS, we recommend that you use HTTPS to ensure secure connectivity between all of your SAP systems.

Operational Contract Management

Operational Contract Management enables your purchasers to create, change, and monitor central contracts. They can use the catalogs provided as of SAP Enhancement Package 2 for SRM-MDM Catalog 7.0 to add items to contracts. SAP NetWeaver 7.0 Business Intelligence Content Add-On 5 (SAP NetWeaver 7.0 BI Content Add-On 5) is used to perform evaluations. The highest available release of SAP NetWeaver Process Integration (SAP NetWeaver PI) is also necessary in this business scenario to upload external flat files for product category hierarchies and supplier hierarchies. You can distribute central contracts to SAP enhancement package 6 for SAP ERP using Process Integration to use them as a source of supply, or as schedule agreements using IDocs.

The SAP enhancement package 4 for SAP SRM 7.0 Server user interface uses ABAP Web Dynpro technology. The front end of SAP enhancement package 2 for SRM-MDM Catalog 7.0 uses Java Web Dynpro technology. SAP enhancement package 4 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancement package 4 for SAP NetWeaver BI 7.0) is realized using Business Server Pages (BSP) technology.

Depending on the requirements of the SAP Enhancement Package 4 for SAP SRM 7.0 installation, that is whether SAP SRM Server 7.14 should be available using the Internet, and depending on the internal security policy, the following must be performed:

Mandatory steps

● SAP SRM Server 7.14:

Enable SAP NetWeaver Application Server (SAP NetWeaver AS) 7.40 ABAP SSL (configure HyperText Transfer Protocol with SSL (HTTPS) protocol)

Enable secure RFC connections to the SAP enhancement package 6 for SAP ERP Central Component system to distribute central contracts as schedule agreements

● SRM-MDM Catalog 7.02:

Enable SAP NetWeaver AS 7.40 Java Secure Sockets Layer (SSL)





For more information about Transport Layer Security, see SAP Library for SAP NetWeaver on SAP Help

Portal at help.sap.com/netweaver Release/Language SAP-NetWeaver Library Security Information .

● SAP NetWeaver 7.40:

Enable SAP NetWeaver AS 7.40 ABAP SSL (configure HTTPS protocol)

● Configure SAP NetWeaver Portal for secure access and connection to and from SAP SRM Server 7.14

● Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM Catalog 7.02

● Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.40

● Configure Single Sign-On (SSO) between SAP SRM Server 7.14, SRM-MDM Catalog 7.02, and SAP NetWeaver 7.40

● If required, configure Secure Network Communication (SNC) connections between SAP SRM Server 7.14 and the back-end system

● If required, configure SNC connections between SAP SRM Server 7.03 or your back-end system and SAP NetWeaver 7.40

● If required, connect SAP SRM Server 7.13, SAP SRM Server for supplier self-services (SUS), and SAP SRM-MDM Catalog 7.02 using HTTPS and file transfer protocol with SSL (FTPS) and SNC to SAP NetWeaver PI

For more information about SAP NetWeaver Process Integration Security Guide, see SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application Help SAP Library Security Information .

Service Procurement

The Service Procurement business scenario is used to cover the entire service procurement process.

The SAP SRM Server for Supplier Self-Services (SUS) Web user interface uses Business Server Pages (BSP) technology.

Mandatory steps

● SAP SRM Server for supplier self-services (SUS):



Depending on whether SAP SRM Server 7.14 is also to be made available using the Internet, or depending on the internal security policy, the following might also be necessary:

Further steps



● SAP SRM-MDM Catalog 7.02:

Enable SAP NetWeaver AS 7.40 Java SSL (configure HTTPS protocol)


Enable SAP NetWeaver AS 7.4 - SAP WEB AS ABAP SSL (configure HTTPS protocol)


● Configure SSO between SAP SRM Server 7.14, SRM-MDM Catalog 7.02 and SAP NetWeaver 7.40

● If necessary, configure SNC connections between SAP SRM Server 7.14 and the back-end system

● If necessary, configure SNC connections between SAP SRM Server 7.14 or your back-end system and SAP NetWeaver 7.40

18





● If necessary, connect SAP SRM Server 7.14, SAP SRM Server for supplier self-services (SUS), and SAP SRM-MDM Catalog 7.02 to the highest available release of SAP NetWeaver PI using HTTPS and file transfer protocol with SSL (FTPS) and SNC




NoteThe SAP SRM@ERP2005 business scenario Supplier Self-Registration is identical to the above business scenario Service Procurement in the SAP SRM standard.

Strategic Sourcing

Within Strategic Sourcing, RFxs are created in SAP SRM Server 7.14 and suppliers are invited to participate in these RFxs by submitting bids. RFxs can also be converted into Live Auctions. Live auctions occur in Live Auction Cockpit Web Presentation Server 6.0 (LACWPS 6.0), or you can run live auctions on the ABAP server. In Java, Live Auction Cockpit partly runs on a J2EE Engine and a Java applet that communicates with the server. The Java applet is loaded into the user's browser and is run locally. In ABAP, Live Auction Cockpit partly runs on the ABAP server and a Java applet that communicates with the server. The Java applet is delivered to the client using Business Server Pages (BSP) technology. The applet is loaded into the user's browser and run locally.

Mandatory steps

40

Further steps

● Enable SRM-MDM Catalog 7.02:

SAP NetWeaver AS 7.40 Java SSL (configure HTTPS protocol)

● Enable SAP NetWeaver 7.40:

SAP Web AS 7.40 ABAP SSL (configure HTTPS protocol)



● If required, configure SNC connections between SAP SRM Server and the back-end system

● If required, configure SNC connections between SAP SRM Server or your back-end system and SAP NetWeaver 7.40

NoteIntegration into cFolders

In case of collaborative bidding processes, the Strategic Sourcing business scenario supports integration into cFolders. In the productive environment, the SAP SRM system is located in the intranet zone, while the cFolders system is in the demilitarized zone (DMZ).

Setting up a Remote Function Call (RFC) connection between SAP SRM and the cFolders system is a potential security risk because it opens a system connection from the DMZ which is outside the intranet.

However, this connection can be additionally protected by placing an SAProuter between the systems. SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks.






The system connection is used exclusively for the RFC protocol. HTTP is not necessary.

For more information, see the cProjects Suite Security Guides at service.sap.com/securityguide .

Plan-Driven Procurement

Plan-Driven Procurement automates and streamlines ordering processes for core materials that are required regularly. Suppliers can process purchase orders directly in SAP SRM Server for supplier self-services (SUS). The purchase orders are transferred to SAP SRM Server for supplier self-services (SUS) from the back-end system using SAP NetWeaver PI.

The Web front end of SAP SRM Server for supplier self-services (SUS) is realized using Business Server Pages (BSP) technology. Since suppliers log on to SAP SRM Server for supplier self-services (SUS) using the Internet, we recommend the use of the HTTPS protocol for SAP SRM Server for supplier self-services (SUS).

Mandatory steps



● Configure SAP NetWeaver Portal for secure access and connection to and from SAP SRM Server for supplier self-services (SUS)

Depending on whether SAP SRM Server for supplier self-services (SUS) is also to be made available using the Internet, or depending on the internal security policy, the following might also be necessary:

Further steps







● If required, configure SNC connections between SAP SRM Server 7.14 and the back-end system

● If required, configure SNC connections between SAP SRM Server 7.14 or your back-end system and SAP NetWeaver 7.40

● If necessary, connect SAP SRM Server 7.04, SAP SRM Server for supplier self-services (SUS), and SAP SRM-MDM Catalog 7.02 to the highest available release of SAP NetWeaver PI using HTTPS and file transfer protocol with SSL (FTPS) and SNC



For more information about Network and Communication Security , see SAP Library for SAP NetWeaver on


Catalog Content Management

The user interface of the Catalog Content Management business scenario is realized using Java Web Dynpro technology. Catalogs can be uploaded using the file system and the MDM Import Manager in XML or Excel formats. Contract data can be loaded using SAP NetWeaver PI and the MDM Import Manager from SAP SRM Server 7.14 system.

20






In the scope of a procurement process, transfer of product data from SRM-MDM Catalog 7.02 to SAP SRM Server 7.14 occurs using HTTP(S) in accordance with the Open Catalog Interface (OCI) specification using the user browser.

Mandatory steps

● Enable SAP NetWeaver AS 7.40 ABAP SSL (configure HTTPS protocol)

● Enable SAP NetWeaver AS 7.40 Java SSL (configure HTTPS protocol)


● If nrequired, connect to the MDM Import Server port file system of SRM-MDM Catalog 7.02 using FTPS to SAP NetWeaver PI



For more information about SAP NetWeaver Master Data Managenemt (MDM), see SAP Service Marketplace at

service.sap.com/installmdm .

Self-Service Procurement

The business scenario Self-Service Procurement enables your employees to create and manage their own requirement requests. They can search in catalogs provided by SAP enhancement package 4 for SRM-MDM Catalog 7.0. SAP NetWeaver 7.0 Business Intelligence Content Add-On 5 (SAP NetWeaver 7.0 BI Content Add-On 5) is used to carry out evaluations.

Mandatory Steps





● SAP NetWeaver 7.40: Enable SAP NetWeaver AS 7.40 ABAP SSL (configure HTTPS protocol)







NoteThe Self-Service Procurement (Extended Classic) business scenario is almost the same as the Self-Service Procurement (Classic) business scenario, except that it is extended by a SUS system that is connected to the ECC (ERP Central Component) system.

Analytics

Within the Spend Analysis and the Supplier Evaluation business scenarios in SAP enhancement package 4 for SAP SRM 7.0, you are able to consolidate data in SAP enhancement package 4 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancement package 4 for SAP NetWeaver BI 7.0) and to carry out evaluations. The data for this comes from SRM Server 7.14 or its back-end system using Remote Function Call (RFC) or Secure Network





http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstallmdm

Communication (SNC). Users access the reports using a Web front end that is realized using Business Server Pages (BSP) technology.

NoteIf SAP enhancement package 4 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancement package 4 for SAP NetWeaver BI 7.0) reports are also made available to suppliers, SAP enhancement package 4 for SAP NetWeaver BI 7.0 has to be accessible using the Internet. If it is only available to the purchasers, it depends on the individual realization of the scenario, that is:

● Should the SAP SRM system landscape be available to the purchasers with the Internet or only with the intranet?

● Does the internal security policy require HTTPS to be used for all Web-based applications?

Mandatory steps:

● Enable SAP NetWeaver AS 7.40 ABAP SSL (configure HTTPS protocol)

● Configure SAP NetWeaver Portal for secure access or connection to and from SRM-MDM Catalog 7.02


SAP SRM, Procurement for Public Sector (PPS)

For SAP SRM, Procurement for Public Sector (PPS), SAP Supplier Relationship Management (SAP SRM) must be deployed as an extended classic scenario. Multi back end deployment is not supported for PPS.

The security guidelines are relevant for the following PPS scenarios:

● Public Sourcing and Tendering

● Contract Management and Administration

● Operational Procurement

● Procurement Services

There are other components such as SAP Document Builder 7.31 that can be used to create documents. SRM-MDM Catalog 7.02 can be used to add items from public catalogs into documents, and SAP enhancement package 4 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancement package 4 for SAP NetWeaver BI 7.0) can be used to carry out evaluations.

The Web front end of SRM-MDM Catalog 7.02 uses Java Web Dynpro technology. SAP enhancement package 4 for SAP NetWeaver BI 7.0 is realized using Business Server Pages (BSP) technology and Java Web Dynpro technology.

Depending on the internal security policy, the following steps are mandatory:

Mandatory Steps

● Role-based access can be provided to the users for accessing specific PPS functions using the Procurement role that is part of a predefined business package of SAP enhancement package 4 for SAP NetWeaver 7.0

● SAP Document Builder 7.31 can be integrated into the SAP SRM Server using the Web services technology or using SAP NetWeaver PI (configure HTTPS protocol for URL)






22



Enable SAP NetWeaver AS 7.4 0 ABAP SSL (configure HTTPS protocol)






● If necessary, configure SNC connections between SAP SRM Server 7.14 and the SAP Document Builder 7.31 system


Supplier Self-Services as Part of Service Procurement and Plan-Driven Procurement

The Supplier Self-Services (SUS) solution can be used with the Service Procurement, the Plan-Driven Procurement and the Supplier Qualification business scenarios. Depending on the landscape deployment, the solution can be positioned in the intranet or the DMZ. Based on security considerations, the following deployment options are available:

Behind the Firewall ScenarioSUS can be deployed either on a separate server or on SAP SRM Server 7.14. If it is deployed on SAP SRM Server 7.14, SUS can be activated in the same client or in a different one. For security reasons we do not recommend using SUS in the same client as SAP SRM Server 7.14 in your productive environment. In all cases it is mandatory to install the highest available release of SAP NetWeaver PI to enable integration between SAP SRM Server 7.14 and SAP SRM Server for SUS.

For more information, see SAP Note573383

Similarly, to deploy the Plan-Driven Procurement business scenario behind the firewall, SUS can be positioned either in a separate server or as an add-on in the same server as the SAP ERP Server.

The Web front end of SAP SRM Server for SUS is realized using Business Server Pages (BSP) technology. Since suppliers log on to SAP SRM Server for SUS using the Internet, we strongly recommend the use of the HTTPS protocol for SAP SRM Server for SUS.

Outside the Firewall ScenarioIn this case it is only possible to implement SUS in a separate server, since the connection to procurement systems is achieved using SAP NetWeaver PI.

Mandatory Steps



● Configure SAP NetWeaver Portal for secure access and connection to and from SAP SRM Server for SUS

● If necessary, connect SAP SRM Server 7.13 and SAP SRM Server for SUS using HTTPS and SNC to the highest available release of SAP NetWeaver PI

● If necessary, configure SNC connections between SAP NetWeaver PI and the back-end system



For more information about Network and Communication Security , see SAP Library for SAP NetWeaver on





http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2F~form%2Fhandler%3F_APP%3D01100107900000000342%26_EVENT%3DREDIR%26_NNUM%3D573383%26_NLANG%3Den%26_NVERS%3D0



5 User Administration and Authentication Information

SAP Supplier Relationship Management (SAP SRM) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and SAP NetWeaver Application Server Java Security Guide also apply to SAP SRM.

In addition to these guidelines, the following topics supply information about user administration and authentication that specifically apply to SAP SRM:

● User Administration and Authentication [page 24]

This topic describes how user data is protected from unauthorized access and the aspects of authorization.

● User Management [page 25]

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP SRM.

● Integration into Single Sign-On Landscapes [page 26]

This topic describes how SAP SRM supports Single Sign-On mechanisms.

5.1 User Administration and Authentication

SAP Supplier Relationship Management (SAP SRM) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and in the SAP NetWeaver Application Server Java Security Guide also apply to SAP SRM.

For more information about the SAP NetWeaver Application Server ABAP Security Guide, see SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application HelpSAP Library Security Guide Security Guide for the AS ABAP .

For more information about the SAP NetWeaver Application Server Java Security Guide, see SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.13 EHP1 Application HelpSAP Library Security Guide Security Guide for the AS JAVA .

In addition to these guidelines, we include information about user administration and authentication that specifically applies to SAP SRM in the following topics:

● User Management

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP SRM.

● Integration into Single Sign-On Environments

This topic describes how SAP SRM supports Single Sign-On mechanisms.

24


SAP Supplier Relationship Management powered by SAP NetWeaver®User Administration and Authentication Information



5.2 User Management

User management for SAP SRM uses the mechanisms provided with the SAP NetWeaver Application Server ABAP and Java, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP SRM, see the sections below.

User Administration Tools

The table below shows the tools to use for user management and user administration with SAP SRM.

Table 9: User Management Tools

Tool Detailed Description

User and role maintenance with SAP NetWeaver AS ABAP (Transactions SU01, PFCG)

For more information about User and Role maintenance with SAP NetWeaver AS ABAP, see SAP Library for SAP



Library Security Guide .

User Management Engine with SAP NetWeaver AS Java For more information about User and Role maintenance with SAP NetWeaver AS Java, see SAP Library for SAP NetWeaver

on SAP Help Portal at help.sap.com/netweaver SAP


Security Guide .

Transaction USERS_GEN For a detailed description of the transaction, including prerequisites that must be fulfilled, see Customizing for SAP

Supplier Relationship Management under SRM Server

Master Data Create Users Import Users from File or from

Other System .

Create Supplier For more information, see SAP Help Portal for SAP Supplier

Relationship Management under help.sap.com SAP

Supplier Relationship Management SAP SRM 7.3 EHP4

Application Help SAP Library Master Data User and

Employee Data .

Maintain Employee Data For more information, see SAP Help Portal for SAP Supplier

Relationship Management under help.sap.com SAP

Supplier Relationship Management SAP SRM 7.3 EHP4

Application Help SAP Library Master Data User and

Employee Data .

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types that are required for SAP SRM include the following:

● Dialog users are used for accessing SAP SRM Web Dynpro applications.

● Technical users:

○ Communication users are used in creating SPML connections.

○ Background users include WF_BATCH, CLEAN_REQREQ_UP and BBP_STATUS2 users.






http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com


For more information about these user types, see the SAP NetWeaver AS ABAP Security Guide in the SAP Library

for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guide Security Guide for the AS ABAP .

SAP Supplier Relationship Management (SAP SRM) supports user authentication with user accounts and passwords. It also supports user authentication using X.509 certificates, which enables integration with public key infrastructure.

SAP SRM supports PFCG roles and SAP NetWeaver Portal roles.

New users can only be created by the user administrator or by a manager. A user administrator or manager must also approve the actual release of a new account if a new user created it by self-registration.

Standard Users

We do not deliver standard users with SAP SRM.

RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during installation. In SAP SRM, users are automatically created if you create an organizational structure in transaction PPOMA by extracting a structure from the back-end system.

5.3 Integration into Single Sign-On Landscapes

SAP Supplier Relationship Management (SAP SRM) supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide also apply to SAP SRM. For more information about the SAP Netweaver Security Guide, see SAP Library for SAP NetWeaver on SAP Help Portal at


For more information about user authentication, see SAP Library for SAP NetWeaver on SAP Help Portal at


26






6 Authorization Information

SAP Supplier Relationship Management (SAP SRM) uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS JAVA. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP SRM.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s user administration console on the AS Java.

NoteFor more information about role maintenance, see SAP Library for SAP NetWeaver on SAP Help Portal at


6.1 Authorizations

In SAP Supplier Relationship Management (SAP SRM), one or more predefined roles are assigned to each user or user account. Depending on the role, the user is authorized to carry out certain transactions and access certain data. In addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict access.

In the standard SAP SRM delivery, customers receive predefined role templates which they can adapt to their specific requirements. The roles must be copied to the customer namespace and maintained there. The standard roles include roles for managers, employees, and so on.

Individual users access SAP SRM transactions and data using their browsers and then transfer sensitive confidential data. This information must be protected against unauthorized access. As standard, this is taken care of by encoding all data during the transfer from the Web Server to the browser. SAP SRM follows the standard in this case and supports secure HyperText Transfer Protocol (HTTP).

Roles for System Configuration

Users who want to set up or configure an SAP SRM Server system are assigned to the SAP SRM Administrator role, which provides them with the required authorizations. The required Customizing authorizations ensure that these setup users are able to carry out Customizing projects.

For more information, see help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guide User Administration and Authentication User Management .

CautionSAP SRM does not supply separate Customizing or setup roles. Instead, you should use the functions provided in Role Maintenance using transaction PFCG. Here, you can define a role corresponding to your individual Customizing project, with all the authorizations you need to access the corresponding Customizing activities.

SAP Supplier Relationship Management powered by SAP NetWeaver®Authorization Information





As of SRM 7.03, no new roles are delivered. Roles that are valid for SRM 702 are valid for SRM 703 as well.

6.2 Business Add-In to Restrict Visibility of Product Categories

By default, the input help for product categories, which users with the bidder role can open during bid processing or RFx response processing, displays all available product category values. If you want to restrict the visibility of product category values for users with the bidder role, you can do this by implementing the method GET_CATEGORY in the Business Add-In (BAdI) BBP_F4_READ_ON EXIT. Once the BAdI has been implemented, only those product category values that were defined using GET_CATEGORY can be selected by the user.

6.3 RFC Authorization Checks

It is important to create an authorization concept that limits the number of RFC authorizations that you need. The RFC authority check is automatically provided by the RFC framework.

For more information about configuring authorizations for RFC-enabled function modules, see SAP Library for

SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information .

28


SAP Supplier Relationship Management powered by SAP NetWeaver®Authorization Information


7 Session Security Protection

To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s), we recommend activating secure session management. We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s) (SAP_SESSIONID_<sid>_<client>), activate secure session.management. With an existing security session, users can then start applications that require a user logon without logging on again. When a security session is ended, the system also ends all applications that are linked to this security session. Use the transaction SICF_SESSIONS to specify the following parameter values shown in the table below in your AS ABAP system:

Table 10: Session Security Protection Profile Parameters

Profile Parameter Recommended Value Comment

icf/set_HTTPonly_flag_on_cookies 0 Client-Dependent

login/ticket_only_by_https 1 Not Client-Dependent

For more information about activating http security session management on AS ABAP, see SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.1 EHP1 Application HelpSAP Library Security Information .

Session Security Protection on the AS Java

In the Config Tool, edit the following properties for the Web Container service, which control security-related aspects of HTTP sessions:

Table 11

Property Recommended Value

SessionIdRegenerationEnabled true

SystemCookiesDataProtection true

SystemCookiesHTTPSProtection true

For more information about session security protection, see SAP Library for SAP NetWeaver on SAP Help Portal

at help.sap.com/netweaver SAP NetWeaver 7.1 EHP1 Application Help SAP Library Security Information .

SAP Supplier Relationship Management powered by SAP NetWeaver®Session Security Protection





8 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users cannot connect to the LAN (local area network) server, then they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the SAP Supplier Relationship Management (SAP SRM) solution is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP SRM.

Details that specifically apply to SAP SRM are described in the following topics:

● Communication Channel Security [page 30]

This topic describes the communication paths and protocols used by SAP SRM.

● Network Security [page 33]

This topic describes the recommended network topology for SAP SRM. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate SAP SRM.

● Communication Destinations [page 33]

This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information about Network and Communication Security , see SAP Library for SAP NetWeaver on SAP

Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP LibrarySecurity Information .

8.1 Communication Channel Security

This section deals with measures to protect data transfer from unauthorized access.

Data is transferred by means of HTTPS (SSL encryption), which is also used in SAP system landscapes. HTTPS refers to HTTP (HyperText Transfer Protocol) connections that are protected with the Secure Sockets Layer (SSL) protocol.

RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.

30


SAP Supplier Relationship Management powered by SAP NetWeaver®Network and Communication Security


CautionWe recommend that you use the same protocol – either HTTP or HTTPS – consistently in all system objects. All the deployed objects must be configured in exactly the same way regarding HTTP(S). This is necessary to avoid problems caused by JavaScript-based communication between the individual layers.

The mechanisms to use for transport layer security and encryption depend on the protocols used. For Internet protocols such as HTTP, you can use the SSL protocol to provide the protection. For SAP protocols such as dialog and Remote Function Call (RFC), you can use Secure Network Communication (SNC) connections.

For more information about SAP NetWeaver Process Integration Security, see SAP Library for SAP NetWeaver on


For more information about Network and Communication Security, see SAP Library for SAP NetWeaver on SAP

Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP LibrarySecurity Information Security Guide Security Guide for the AS ABAP .

The following sections under Network and Communication Security are particularly relevant:

● Basic Network Topology for SAP Systems

● Network Services

● Using Firewall Systems for Access Control

○ Application-Level Gateways Provided by SAP

○ Example Network Topology Using a SAProuter

○ Example Network Topology When Using SAP Remote Services

● Using Multiple Network Zones

● Transport Layer Security

○ Secure Network Communications (SNC)

○ SNC-Protected Communication Paths in SAP Systems

● Additional Information on Network Security

Enabling SSL (HTTPS) for SAP NetWeaver Application Server (SAP NetWeaver AS)

This section is relevant for all Web applications that are based on ABAP Web Dynpro or on BSP.

This safeguards data against unauthorized access when business data is exchanged between SAP SRM and external systems, especially in the case of data exchange with supplier systems using the Internet.

The electronic exchange of business data between SAP SRM and a connected supplier must also be protected. Purchase orders and shipping notifications contain confidential information that an SAP SRM customer wants to protect from unauthorized access. Here, SAP SRM again makes use of the standard Internet features. With the HTTP adapter, SAP NetWeaver Exchange Infrastructure supports the Secure HTTP protocol. By means of this protocol, all data is saved during the entire transfer from the sending system to the receiving system. Regarding the automatic authentication of the participating systems, SAP SRM relies on the exchange of certificates, which guarantees state-of-the-art security.

The communication channels within the SAP SRM system landscape can be made secure using HTTPS (SSL). However, it only makes sense to use this coding technology to achieve overall security for the channels.

For more information and before making the SSL settings for the SAP Web AS 7.3, see Transport Layer Security

under SAP Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information .







SAP NetWeaver Portal and Web Dynpro SSL Configuration

Enter SSL in SAP NetWeaver Portal system maintenance for the SAP SRM system entry. Enable SSL for SAP NetWeaver Portal server as well.

For more information about Transport Layer Security, see SAP Library for SAP NetWeaver on SAP Help Portal at


Enabling SSL for J2EE 7.40

This section is relevant if you want to implement the SAP SRM scenario Strategic Sourcing with LACWPS 6.0. LACWPS runs on the J2EE of SAP Web AS 7.40. This section is not relevant for you if you are planning to use Live Auction on ABAP.

For more information about configuring SSL for LACWPS 6.0, see help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information .

Secure Connection of Application Systems to SAP NetWeaver Process Integration (SAP NetWeaver PI)

All SAP NetWeaver PI runtime components using the HTTP protocol support the encryption of the HTTP data stream using the SSL protocol, also known as HTTPS.

Depending on the protocol used, all data is transmitted through the network (intranet or Internet) in plain text. This also applies to the transmission of passwords. To maintain the confidentiality of your data, you can apply transport layer encryption to the connection between the business systems, the integration server, the adapters, and the Web browser.

RecommendationWe recommend that you use encryption when you transmit passwords, orders, company-specific information, or any other data that you consider sensitive.

You can use SSL or Secure Network Communication SNC to increase the security of the following connections:

● Between adapters and integration server

● Between business systems and integration server

● Between Partner Connectivity Kit (PCK) and integration server

● Between business systems and adapters

Adapters, business systems, and integration servers communicate with each other using the RFC or HTTP protocol. To secure the protocol, use either SNC or SSL.

For more information about SAP NetWeaver Process Integration Security, see SAP Library for SAP NetWeaver on


Integration of SAP enhancement package 3 for SAP SRM 7.0 into SAP NetWeaver Portal

Ensure that you have downloaded all relevant portal roles for SAP SRM Server 7.14 from SAP Service Marketplace

at service.sap.com/swdc .

For more information, see SAP Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaverSAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information ..

● The SAP NetWeaver Portal and the connected back-end systems must use the same protocol. This means they must both either use HTTP, or HTTPS; no other combination is possible.

32






http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fswdc


● The SAP NetWeaver Portal and the connected back-end system must be in the same domain.

● If you wish to implement your own SAP SRM Server ABAP 7.13 Web Dynpro based applications, you must ensure that the iViews have Enterprise Portal Client Framework (EPCF) level "2".

Secure E-Mail Use in SAP SRM

Both offline approval and offline bidding require e-mail transfer.

For more information about offline approval and offline bidding, see SAP Library on SAP Help Portal at

help.sap.com/businesssuite Supplier Relationship Management (Release/Language) Application Help .

This is relevant for secure e-mail transfer by encryption and signature.

8.2 Network Security

SAP Supplier Relationship Management (SAP SRM) is a solution with many external interfaces, including interfaces to the Internet. This makes SAP SRM vulnerable to attempts from outsiders to access confidential data. Studies have shown that unauthorized access by internal employees also represents a considerable risk. As a pure business solution, SAP SRM can offer protection in this regard based on the authorization concept within SAP NetWeaver Application Server (SAP NetWeaver AS).

For more information about user management, see SAP Library for SAP NetWeaver on SAP Help Portal at


SAP SRM is embedded in a comprehensive protection concept that offers protection on a physical level and also, through additional firewalls, protected access to all levels of an IT infrastructure.

We recommend that you protect the different SAP SRM components using appropriate firewalls. This includes setting up a DMZ (Demilitarized Zone) that protects all critical components from direct access using the Internet. We also recommend that you install protection against access to the entire data store of the various SAP SRM applications components.

● For more information about Using Firewall Settings for Access Control, see the Portal Security Guide in SAP

Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information .

● For more information on the settings for Security Network Communications (SNC), see the Security Guides for the Application Server in the Portal Security Guide in SAP Library for SAP NetWeaver on SAP Help Portal

at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information .

8.3 Communication Destinations

SAP Supplier Relationship Management (SAP SRM) does not deliver any Remote Function Call (RFC) destinations.

The following table shows an overview of the systems and components relevant for SAP SRM. For detailed information about all relevant communication destinations for SAP SRM such as RFC, IDoc, and so on, as well as information about the authorizations required by the communication users in SAP SRM, see SAP Solution




http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fbusinesssuite%20




Manager under Solutions/Applications SAP SRM Configuration SAP SRM 7.0 EHP 2 Basic Settings for SAP SRM System Connections .

Table 12

Destination Delivered Type

SAP ERP (Classic Scenario) No RFCs and SOA Services

SAP ERP (Extended Classic Scenario) No RFcs and IDocs

SAP Customer Relationship Management (SAP CRM)

No RFCs and SOA Services

Collaboration Projects (cPro) No XML communication using SAP NetWeaver Process Integration (SAP NetWeaver PI) (Web services)

CFolders No RFCs

Global Trade Services (GTS) No RFCs and SOA Services

SAP Sourcing OnDemand No SOA Services

Supplier Self-Services (SUS) No RFCs, Web Services using XML communication, and SOA Services

MM, Self-Service Procurement in SAP ERP

No RFCs and Web Services using XML communication

SAP NetWeaver PI No RFCs

SRM-MDM Server No XML communication using SAP NetWeaver PI and File Transfer Protocol (FTP)

For more information about the recommended profile for the RFC user, see SAP Note 642202

34




9 Internet Communication Framework Security

You should only activate those services that are needed for the applications running in your system.

You should activate the following services for SAP Supplier Relationship Management (SAP SRM):

● For SAP SRM, the services under the following namespaces are needed:

○ /sap/bc/webdynpro/sapsrm○ /sap/bc/srm○ /sap/bc/bsp/sapsrm○ /sap/sapsrm/○ /default_host/sap/bc/srm○ /default_host/sap/bc/webdynpro/sapsrm○ /default_host/sap/bc/bsp/sapsrm

● If you are using NetWeaver Business Client, activate the services under /default_host/sap/bc/nwbc/srm.

● If you are using Procurement for Public Sector (PPS), activate the services under /default_host/sap/bc/webdynpro/sappssrm.

● If you are using Live Auction Cockpit, activate the service /sap/lacmessaging.

Use transaction SICF to activate these services.

If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings accordingly.

For more information about Activating and Deactivating ICF Services, see the Portal Security Guide in SAP Library

for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.0 EHP1 Application Help SAP Library Activating and Deactivating ICF Services .

For more information about the RFC/ICF Security Guide, see the Portal Security Guide in SAP Library for SAP

NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.0 EHP1 Application HelpSAP Library RFC/ICF Security Guide .

SAP Supplier Relationship Management powered by SAP NetWeaver®Internet Communication Framework Security





10 Data Storage Security

SAP Supplier Relationship Management (SAP SRM) runs using SAP standard technologies only and does not use any external tools. The UI is realized using ABAP Web Dynpro. This means that there are no persistent cookies and no authentication data beyond the usual amount.

For more information about the use of ABAP Web Dynpro, see help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.4 Security Information Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and Other Development Technologies .

Data Storage

Security-relevant and personal data (for users and business partners) is stored in the standard SAP database tables. Access to these tables is protected by the SAP authorization checks.

36


SAP Supplier Relationship Management powered by SAP NetWeaver®Data Storage Security


11 Enterprise Services Security

The following chapters in the NetWeaver Security Guide and documentation are relevant for all enterprise services delivered with SAP Supplier Relationship Management (SAP SRM):

● For more information about the Security Aspects for Web Services, see the Portal Security Guide in SAP

Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guides Web Services .

● For more information about the Recommended WS Security Scenarios, see the Portal Security Guide in SAP

Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guides Portal Security Guide

● For more information about the SAP NetWeaver Process Integration Security Guide, see the Portal Security

Guide in SAP Library for SAP NetWeaver on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guides Portal Security Guide

For SAP SRM-specific security issues, note that enterprise services have been created to enable the following:

● Secure communication between the SAP SRM system and the supplier's system outside the firewall.

● Back-end system integration

RecommendationWe recommend using user propagation to set up SOA services. For more information, see SAP Library on SAP

Help Portal at help.sap.com Technology Consultant's Guide Enabling Business-to-Business Processes Small Business Partner and Subsidiary Integration Configuration of Usage Type Process Integration (PI) Communication and Security Configuration of Principal Propagation Configuring the Sender .

SAP Supplier Relationship Management powered by SAP NetWeaver®Enterprise Services Security







12 Auditing and Logging

This function allows users to log changes on various SAP objects to appraise and retrace them. To fulfill the legal auditing and logging requirements, SAP NetWeaver provides standard tools and functions.

For more information about Audting and Logging, see the Portal Security Guide in SAP Library for SAP NetWeaver

on SAP Help Portal at help.sap.com/netweaver SAP NetWeaver 7.3 EHP1 Application Help SAP Library Security Information Security Guides Auditting and Logging .

This section specifies the most relevant items regarding auditing and logging in SAP SRM.

Details

Version History of SU01-User and Business Partner

SU01-User

The user information system provides you with information about users, roles, profiles, authorizations, and related objects.

The following figure shows the navigation within the user information system:

Figure 6: Navigation in the User Information System

You can use the standard transaction SU01 under Information Change Documents for Users to display a log table. You can also use transaction SUIM to enter the User Information System that provides you with a wide range of functions relating to user history.

The following figure shows a table that lists all the actions that have changed user data so far:

38


SAP Supplier Relationship Management powered by SAP NetWeaver®Auditing and Logging


Figure 7: Changed Documents

Business Partner

You can use the standard transaction BP under Extras Change History For This Partner to display a log table that depends on a selected field.

The following figure shows all the changes that were ever carried out:




Figure 8: Changes Made

The following figure shows that the change log can be detailed on field level:

Figure 9: Change Log on Field Level

40



Change Documents of Business Documents

Change documents are another logging tool available to you. A change document logs changes to a business object. You access the change documents by selecting Tracking Change Documents from within the corresponding business document.

The following figure shows every change made to the business document down to the field level:

Figure 10: Business Document Changes

Change Documents Specific to SAP SRM Infotypes

You can use the standard transaction PPOMA_BBP to monitor changes to the following set of tab cards:

Table 13

Tab Card Infotypes

Function 5500 EBP Function

Responsibility 5501 EBP Product Responsibility

Extended Attributes 5502 EBP Location

5503 EBP Order Value Limits

You activate change documents in the Customizing table T77CDOC_CUST.

The report RHCDOC_DISPLAY enables you to display the change documents created for changes made to personnel planning infotypes.

The following figure shows the change documents created for personnel planning infotypes:




Figure 11: Infotype Document Changes

Note that the system performance deteriorates if you activate the creation of change documents for all personnel planning infotypes. Therefore, you should only activate the creation of change documents for the combination of plan version, object type, and infotype or subtype for which you require this function.

Application Monitoring

In addition to the previous document changes, SAP SRM provides an application monitor to evaluate various critical system and document statuses and changes. The main purpose of the monitor is to monitor the errors of the business documents.

The monitoring results are only available in the portal to the administrator and are presented in graphical form in an iView in the Administration Work Center. Authorization to view and process alerts is handled by portal role and iView assignment, as well as in authorization object BBP_FUNCT (MON_ALERTS). The monitoring information is read from the SAP SRM backend, and is recorded in the Statistic Records in CCMS (monitors under: SAP Enterprise Buyer Monitors).

The following figure shows the SAP Enterprise Buyer Monitor:

42



Figure 12: SAP Enterprise Buyer Monitor




13 Services for Security Lifecycle Management

The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWarch Alert report of your system. It tells you the following:

● Whether SAP Security Notes have been identified as missing on your system.

In this case, analyze and implement the identified notes, if possible. If you cannot implement the notes, the report should be able to help you decide on how to handle the individual cases.

● Whether an accumulation of critical basis authorizations has been identified.

In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.

● Whether standard users with default passwords have been identified on your system.

In this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including:

● Critical authorizations in detail

● Security-relevant configuration parameters

● Critical users

● Missing security patches

This service is available as a self service within the SAP Solution Manager or as a remote or on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation of a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliance to predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords.

Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

44


SAP Supplier Relationship Management powered by SAP NetWeaver®Services for Security Lifecycle Management

More Information

For more details on these services, see the following:

● EarlyWatch Alert: support.sap.com/support-programs-services/services/earlywatch-alert.html

● Security Optimization Service / Security Notes Report: service.sap.com/sos

● Comprehensive list of Security Notes: service.sap.com/securitynotes

● Configuration Validation: service.sap.com/changecontrol

● RunSAP Roadmap, including the Security and the Secure Operations Standard: service.sap.com/runsap

See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3

SAP Supplier Relationship Management powered by SAP NetWeaver®Services for Security Lifecycle Management



http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fservices%2Fearlywatch-alert.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsos

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fchangecontrol

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Frunsap

14 DATA Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.

Table 14

Term Definition

Personal data Information about an identified or identifiable natural person.

Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.

Blocking A method of restricting access to data for which the primary business purpose has ended.

Deletion Deletion of personal data so that the data is no longer usable.

Retention period The time period during which data must be available.

End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.

Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs:

● Access control: Authentication features as described in User Administration and Authentication [page 24].

● Authorizations: Authorization concept as described in section Authorization Information [page 27]

● Read Access Logging: As described in section Read Access Logging [page 49]

● Availability control as described in the following sections:

46


SAP Supplier Relationship Management powered by SAP NetWeaver®DATA Protection

○ Data Storage Security [external document]

○ SAP NetWeaver Database Administration documentation Function-Oriented View Data Administration.

○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented View Solution Life Cycle Management SAP Business Continuity

● Separation by purpose: It is in subject to the organizational model implemented and must be applied as part of the authorization concept.

CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.

Configuration of Data Protection Functions

Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection. Additional industry-specific, scenario-specific or application-specific configuration might be required.

For information about the application-specific configuration, see the application-specific Customizing in SPRO.

14.1 Deletion of Personal Data

The SAP_APPL,ERP_SRM and SRM standalone, SRM_SERVER, BBP might process data (personal data) that is

subject to the data protection laws applicable in specific countries as described in SAP Note 1825544 The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the storage, retention, blocking, and deletion of data. SAP_APPL, ERP_SRM and SRM standalone, SRM_SERVER, BBP uses SAP ILM to support the deletion of personal data as described in the following sections

SAP delivers an end of purpose check for the SAP_APPL, ERP_SRM and SRM standalone, SRM_SERVER, BBP SAP delivers a where-used check (WUC) for the SAP_APPL, ERP_SRM and SRM standalone, SRM_SERVER, BBP.

All applications register either an end of purpose check (EoP) in the Customizing settings for the blocking and deletion of vendor master / the business partner or a WUC. For information about the Customizing of blocking and deletion for MM-SRM, SAP_APPL, ERP_SRM and SRM standalone, SRM_SERVER, BBP see Configuration: Simplified Blocking and Deletion.

End of Purpose Check (EoP)

● Phase one: The relevant data is actively used.

● Phase two: The relevant data is actively available in the system.

● Phase three: The relevant data needs to be retained for other reasons.

For example, processing of data is no longer required for the primary business purpose, but to comply with legal rules for retention, the data must still be available. In phase three, the relevant data is blocked. Blocking of data prevents the business users of SAP applications from displaying and using data that may include personal data and is no longer relevant for business activities.

Blocking of data can impact system behavior in the following ways:

● Display: The system does not display blocked data.

● Change: It is not possible to change a business object that contains blocked data.





● Create: It is not possible to create a business object that contains blocked data.

● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business object that contains blocked data.

● Search: It is not possible to search for blocked data or to search for a business object using blocked data in the search criteria.

It is possible to display blocked data if a user has special authorization; however, it is still not possible to create, change, copy, or perform follow-up activities on blocked data.

For information about the configuration settings required to enable this three-phase based end of purpose check, see Process Flow and Configuration: Simplified Blocking and Deletion.

Integration with Other Solutions

In the majority of cases, different installed applications run interdependently as shown in following graphic:

Figure 13: Integrated systems using Central Master Data

An example of an application that uses central master data is an SAP for Healthcare (IS-H) application that uses the purchase order data stored in Financial Accounting (FI) or Controlling (CO).

Relevant Application Objects and Available Deletion Functionality

Table 15

Application Provided Deletion Functionality

BBP For example, BBP*, ILM_DESTRUCTION.

Relevant Application Objects and Available EoP/WUC functionality

Table 16

Application Implemented solution (EoP or WUC) Further information

ERP_SRM (MM-SRM Scenario) EOP EOP checks in table CRMD_PARTNER

BBP(SRM Standalone Scenario) EOP EOP checks in table CRMD_PARTNER

Process Flow – Business Partner

1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle Management (ILM).

2. You choose whether data deletion is required for data stored in archive files or data stored in the database, also depending on the type of deletion functionality available.

3. You do the following:

○ Run transaction IRMPOL and maintain the required residence and retention policies for the central business partner (ILM objects: CA_BUPA).

○ Run transaction BUPA_PRE_EOP to enable the end of purpose check function for the central business partner.

○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer master and vendor master in SAP SRM (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).

○ Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and vendor master in SAP ERP.

4. Business users can request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.

48



5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and CVP_UNBLOCK_MD.

6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SAP_APPL,ERP_SRM and SRM standalone, SRM_SERVER,BBP

7. For information about how to configure blocking and deletion for SAP_APPL, ERP_SRM and SRM standalone, SRM_SERVER,BBP, see Configuration: Simplified Blocking and Deletion.

Process Flow – SRM Transactional Data

1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle Management (ILM).

2. You choose whether data deletion is required for data stored in archive files or data stored in the database, also depending on the type of deletion functionality available.

3. Run transaction IRMPOL and maintain the required residence and retention policies for the central business partner (ILM objects: BBP_SC, BBP_PO etc., for each archiving object corresponding ILM object is available).

4. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SAP_APPL,ERP_SRM and SRM standalone, SRM_SERVER,BBP.

Configuration: Simplified Blocking and Deletion

You configure the settings related to the blocking and deletion of business partner master data in Customizing for Cross-Application Components under Data Protection as follows:

● Define the settings for authorization management under Data Protection Authorization Management.For more information, see the customizing documentation.

● Define the settings for blocking in Customizing for Cross-Application Components under Data ProtectionBlocking and Unblocking Business Partner

You configure the settings related to the blocking and deletion of customer and vendor master data in Customizing for SAP Customizing Implementation Guide for Material Management under:

● Logistics - General Business Partner Deletion of Customer and Vendor Master Data.

● Financial Accounting Accounts Receivable and Accounts Payable Deletion of Customer and Vendor Master Data.

● Financial Accounting (New) Accounts Receivable and Accounts Payable Deletion of Customer and Vendor Master Data.

14.2 Read Access Logging

If no trace or log is stored that records which business users have accessed data, it is difficult to track the person(s) responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data, for example, of a business partner, and in which time frame. In RAL, you can configure which read-access information to log and under which conditions.

For more information about RAL, see Read Access Logging (RAL) in the documentation for SAP NetWeaver.




15 Other Security Relevant Information

15.1 Payment Card Security

You specify procurement card as payment method when creating a requirement coverage request. The settlement data is transferred to the Enterprise Buyer system. At the same time, the system generates an invoice for all purchases that were made using a procurement card. The invoice is updated in accounts payable accounting in the backend and blocked for payment. The system can then pay the invoice during the payment run.

The card information is displayed in the item details of Shopping Cart and Purchase Order. It is masked.

The system generates an invoice for all purchases that were made using a procurement card. The invoice is updated in accounts payable accounting in the backend and blocked for payment. The system can then pay the invoice during the payment run. The Enterprise Buyer system creates an invoice for the bank or card company from the settlement data and updates this in Accounting in the backend using message type ACLPAY. The invoice is blocked and can be paid at a specific point in time. The offsetting entry is made to the clearing account specified in Customizing. The system generates G/L account postings from the individual purchases. These postings clear the clearing account and debit the expense account defined for the procurement card. At the same time, the system debits the cost object (for example, the cost center or project).

15.2 Credit Card Usage Overview

Figure 14

50


SAP Supplier Relationship Management powered by SAP NetWeaver®Other Security Relevant Information

Table 17

Technical components are involved in the credit card/payment process

SRM

What components are necessary (ABAP, ABA)? ABAP

What is the information flow (for example, CRM -> PI -> FI -> SD)?

SRM->PI->FI

What technical methods are used to encrypt/decrypt credit card information?

MASK and UNMASK

What tracing and logging is used? SRM LOGGING MECHANISM

Can the customer upgrade from previous releases? Yes, upgrade is possible. Customization required for upgrade

Are alternatives, like tokens, supported? NO

15.3 Customizing

The following customizing activities are required as a prerequisite to enable PCI-relevant settings within this component:

● You must configure the IDOC settings for PCARD.

● You must define number ranges. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Number Ranges .

● You must define the card company. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Card Company

● You must allocate the company code. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Allocate Company Code

● You must define blocking reasons. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Blocking Reasons

● You must process procurement card reasons. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Process Procurement Card

● You must manage commitments. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Manage Commitments

● You must define product categories for procurement card. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Product Categories for Procurement Card

The following credit card/payment card-specific customizing activities are relevant for this component:

● You must define the card company. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Card Company

● You must allocate company code. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Allocate Company Code

● You must define blocking reasons. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Blocking Reasons




● You must process procurement card reasons. To do this, run transaction SPRO and go to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement Card Process Procurement Card

NoteThe P-Card number range should be maintained correctly and should not coincide with other SAP SRM number ranges.

Upgrade

During an upgrade the Credit Card Details must be maintained again. If the entries in Allocate Company Code customizing activity are deleted then the card details are also deleted, therefore this information should be stored safely in this customizing activity.

15.4 Masked/Unmasked Display

The display of credit card information is masked by default. The character used for masked display cannot be Customized.

15.5 Deleting Stored Credit Card Information

To delete stored credit card information, go to Customizing for SAP SRM under SRM Server Procurement Card Define Company Card . Here credit card information is stored and can be completely deleted.

52



16 Appendix

16.1 Data Privacy Statement

In the SAP Supplier Relationship Management (SAP SRM) system, personal user data, such as the name and address, is saved in the user master record. To comply with legal requirements, this user data can only be saved and used if the affected user actively consents to this. To do so, the user must select a checkbox at the end of the text that is displayed on the corresponding interfaces.

Note that the checkbox is not initially set.

CautionIn some countries explicit written consent from external partners, for example suppliers, may be necessary.

You can activate the data privacy function for the following services:

● Supplier Registration (in SAP SRM) and Supplier Registration (in SAP SRM Server for SUS)In these cases the supplier as an external user selects the checkbox to allow the supplier data to be saved.

● Business Partner Maintenance (in SAP SRM) and User Maintenance (in SAP SRM Server for SUS)The internal processor selects the checkbox and confirms that the external user, whose data is being processed, is aware of and consents to the data being saved.

Customizing

You define the Customizing settings for the data privacy statement in Customizing for SAP Supplier Relationship Management under SRM Server

You define the Customizing settings for the data privacy statement in Customizing for SAP Supplier Relationship Management under SRM Server Master Data Business Partner Specify Data Privacy Settings for Suppliers .

You define the Customizing settings for the data privacy statement in Customizing for SAP SRM Server for SUS under Supplier Self-Services Settings for User Interface Specify Data Privacy Settings for Suppliers .

In the Customizing tables you can activate or deactivate the data privacy function and define the technical names of the texts to be displayed.

NoteThe texts that are displayed to the external user on self-registration and to the internal user when maintaining business partners are predefined in the system as General Texts. You can use transaction SE61 to copy and modify them to suit your requirements.

SAP Supplier Relationship Management powered by SAP NetWeaver®Appendix



16.2 Virus Checking of Document Attachments

SAP Supplier Relationship Management (SAP SRM) provides you with the opportunity to check documents that you attach to SAP SRM documents with a virus scanner before they are stored in the database.

You must have a virus scanner installed and must have configured it correctly. You define the Customizing settings for virus checking in Customizing for SAP SRM under SAP Web Application Server Base System Administration Virus Scan Interface .

The virus scanning functions in SAP SRM are activated when you implement the Business Add-In (BAdI) BBP_ATT_CHECK. SAP supplies the BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains a structure that is used in SAP SRM for the storage of attachments. The field PHIO_FNAME contains the file name and the tabular field PHIO_CONTENT contains the file part of the attachment, that is where the actual file is stored. Viruses are dealt with in the implementation. For example, the data part is deleted.

Function BBP_PD_MSG_ADD should also be implemented, as it communicates messages such as warnings, additional information, and errors to a central log. These messages are then transferred to the user interface.

16.3 Additional Related Guides

Table 18

Area/Topic Guide/Documentation Link

SAP SRM SAP SRM Master Guide service.sap.com/instguides SAP

Business Suite Applications SAP

SRM SAP SRM Server 7.03 Master

Guide

SAP NetWeaver SAP NetWeaver Security Guide help.sap.com SAP NetWeaver

SAP Netweaver Platform SAP

NetWeaver 7.3 Security Information

Security Guide

16.4 Additional Information

Special Information for Live Auction Cockpit Web Presentation Server (LACWPS) 6.0

Note that this only relates to the SAP SRM business scenario Strategic Sourcing with LACWPS 6.0. This does not apply to Live Auction on ABAP.

Which Part of LACWPS 6.0 should Be Set Up in which Network Segment?

The client portion of LACWPS (Java applet) is deployed on the Internet. The applet communicates with LACWPS on a J2EE server. This is why the external user has to allow the applet to be downloaded.

The server portion, that is SAP Web AS should be located on the Local Area Network (LAN).

The SAP Enterprise Resource Planning (ERP) system should be located on the LAN.

54





Where Exactly Is Data Stored?

System configuration data is stored in the properties files on the SAP Web AS. System configuration data is shipped with the system.

Runtime transactional data is stored in the database of the SAP system. Transactional data is stored during runtime of the application.

No temporary data is stored anywhere else.

Which Type of Data Access Is Required at what Point in Time?

Read access of system configuration data is required during server startups.

Read and write access to transactional data is required during runtime.

What Level of Protection Is Recommended for which Data?

System administration permissions should be used to restrict access to LACWPS properties configuration in the Web AS Visual Administrator. Customers must ensure that only system administrators should have access to Web AS Visual Administrator. Configuration data in Web AS Visual Administrator is protected by a password.

NotePassword Encryption

Access to the SAP Web AS Visual Administrator needs a password.

This password is set during the installation of Web AS. For the LACWPS scenario, the username is J2EE_ADMIN and the password is the one set by the first user.

Before deployment of the application, a dummy password is stored as a file in the deployment Export Administration Regulations (EAR) file. Once the application is deployed, the value is internally encrypted in the database in J2EE and can only be accessed through J2EE Visual Administrator.

After the deployment, you must change the password using Visual Administrator. The Visual Administrator tool can be configured for Secure Sockets Layer (SSL) to secure communication between Visual Administrator and the J2EE server.

In the User Management Engine (UME) of the J2EE Engine, the properties values are stored in the same way. It is not necessary to encrypt the content of the password to be stored as real values in DB, since communication between Visual Administrator and the J2EE server can be secure as well.

Remote Function Call (RFC) users should be created for RFC and Java Remote Function Call (JCo) connections to the SAP systems.

JCO-RFC-Password for Live Auction Cockpit to SAP SRM server:

The dummy password that is stored in the LAC deployable application is required for the RFC connection between the Live Auction Cockpit application and the SAP SRM Server. Once Web AS has been installed and the LAC application has been deployed, it is necessary to use the Web AS Visual Administrator to configure this JCO-RFC-Password/ Username so that the Live Auction Cockpit application can run. (At present, this JCO RFC password is visually encrypted as “*****” when it is entered, as in the SAP backend system transaction SU01. Only a user with administrator authorization on the J2EE engine can reset the password, as in the SAP backend system transaction SU01.

Does the application require an Internet browser as the user interface?

The Live Auction Cockpit client (Java applet) requires an Internet browser.

Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets.




Which RFC/JCo destinations are delivered/required?

The Live Auction Cockpit application establishes RFC connections via JCo.

(There is no need to maintain RFC destinations in transaction SM 59 for Live Auction Cockpit since the JCo server is not used.)

What is the minimum authorization required by the communication user for RFC/JCo connections?

The communication user can be defined as a system user in a production system where there is no need for JCo/ABAP debugger.

If the debugger needs to be used, the communication user must be defined as a dialog user. Furthermore, the user must have both purchaser and supplier profiles for Live Auction Cockpit. (In a productive system, a dialog (RFC) user always represents a limited security risk.)

SSO and SAP Logon Tickets

The Live Auction Cockpit application uses UME API to verify Single Sign-On tickets. No user data is replicated since all user data is in SAP Bidding Engine in SAP SRM Server. (User data synchronization is not required.)

By default, the Live Auction Cockpit application accepts SAP Logon Tickets.

● Details for Logon Scenario for Live Auction:

Purchaser and Bidder log onto SAP SRM through the standard logon page.

● Inside the Bidding Engine auction user interface (Sourcing) the Live Auction Cockpit applet is launched.

● For Single Sign-On and user validation the Java user management client is used.

● If the applet’s URL is typed directly into the browser window, the user is validated through the UME Logon Applet and redirected to a UME logon page. After successful logon, the user is directed back to the applet.

Figure 15

Digitally-signed Java applet

As of SAP SRM 5.0/LAC WPS 5.0 the Java applet is digitally signed. The user must confirm that he or she agrees to this usage.

56



Authorization and roles

No roles are delivered with Live Auction Cockpit. All roles are delivered with SAP SRM Server.

Are authorization technologies other than roles used?

Yes, bidders must be added to an auction’s invitation list to view and bid on that auction using Live Auction Cockpit.

Bidders are added to this invitation list (in the SAP SRM Server system) when the auction is created. Since this is a private auction (SAP Bidding Engine) where there is no self-registration or subscription.

User interface settings

Live Auction Cockpit can preserve and restore various user interface (UI) settings so that the users do not need to adjust the UI each time they log on. This functionality works in Live Auction ABAP in the same way as in Live Auction based on J2EE engine. These settings include:

● Divider location

● Dropdown box selection

● Tab selection

● Table column order

● Table column width

All UI settings are stored as a browser cookie. Therefore, the user's Web browser must be configured to accept cookies to take advantage of this feature. If the user's Web browser is configured to block cookies, then UI settings are not preserved. However, all other Live Auction Cockpit features remain functional.

NoteNo personal information is stored in the browser cookie.

Special Information for SRM-MDM Catalog

For information about MDM, see service.sap.com/installmdm .

Special Consideration for Offline Bidding

In SAP SRM, offline bidding using e-mail is possible. However, offline bidding does not provide a secure application configuration by default. This approach can cause a security issue because it is not protected by strong encryption or by certificates.

For this reason, SAP SRM does not support any scenario except in-house e-mail.

NoteEven with in-house e-mail, secure execution of offline bidding cannot be guaranteed.




http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstallmdm

A Reference

A.1 The Main SAP Documentation Types

The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software.

Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as well as many glossary entries in English and German.

● Target group:

○ Relevant for all target groups

● Current version:

○ On SAP Help Portal at help.sap.com Glossary

○ In the SAP system in transaction STERMSAP Library is a collection of documentation for SAP software covering functions and processes.

● Target group:

○ Consultants

○ System administrators

○ Project teams for implementations or upgrades


○ On SAP Help Portal at help.sap.com (also available as documentation DVD)

The security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available for SAP NetWeaver. This document contains general guidelines and suggestions. SAP applications have a security guide of their own.

● Target group:


○ Technology consultants

○ Solution consultants


○ On SAP Service Marketplace at service.sap.com/securityguide

Implementation

The master guide is the starting point for implementing an SAP solution. It lists the required installable units for each business or IT scenario. It provides scenario-specific descriptions of preparation, execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes.

● Target group:


58


SAP Supplier Relationship Management powered by SAP NetWeaver®Reference




○ Project teams for implementations


○ On SAP Service Marketplace at service.sap.com/instguides

The installation guide describes the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.

● Target group:





Configuration Documentation in SAP Solution Manager – SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business scenarios, business processes, and implementable steps. It contains Customizing activities, transactions, and so on, as well as documentation.

● Target group:





○ In SAP Solution Manager

The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The Customizing activities and their documentation are structured from a functional perspective. (In order to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)

● Target group:


○ Project teams for implementations or upgrades


○ In the SAP menu of the SAP system under Tools Customizing IMG

Production Operation

The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver, and precedes the application operations guides of SAP Business Suite. The manual refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master data maintenance, transports, and tests.

● Target group:




The application operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks.

● Target group:












Upgrade

The upgrade master guide is the starting point for upgrading the business scenarios and processes of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an upgrade. It also refers to other documents, such as upgrade guides and SAP Notes.

● Target group:


○ Project teams for upgrades



The upgrade guide describes the technical upgrade of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.

● Target group:





Release notes are documents that contain short descriptions of new features in a particular release or changes to existing features since the previous release. Release notes about ABAP developments are the technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG).

● Target group:

○ Consultants



○ On SAP Service Marketplace at service.sap.com/releasenotes

○ In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

60






http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Freleasenotes

Typographic Conventions

Table 19

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages

● Source code or syntax quoted directly from a program

● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

SAP Supplier Relationship Management powered by SAP NetWeaver®Typographic Conventions



http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com



www.sap.com

© Copyright 2016 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

http://www.sap.com

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark