security guide for sap ehs management introduction 1.1 about this document the security guide...

Security Guide CUSTOMER

Document Version: 6.0.6 – 2017-12-13

Security Guide for SAP EHS Management

Content

1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41.2 Target Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Why is Security Necessary?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4 Overview of the Main Sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1 Fundamental Security Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124.2 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

User Administration and User Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Standard Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.3 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.4 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.1 Role and Authorization Concept for SAP EHS Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.2 Authorizations for RFC Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165.3 Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Scenario Health and Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Scenario Environment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Scenario Product Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.4 Standard Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Scenario Health and Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Scenario Environment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Scenario Product Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.5 Critical Combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.6 Creating Custom Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416.2 Session Security Protection on the AS ABAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

2 C U S T O M E RSecurity Guide for SAP EHS Management

Content

6.3 Session Security Protection on the AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

7.2 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Secure Offline Communication with SAP Interactive Forms by Adobe. . . . . . . . . . . . . . . . . . . . . . . 44

7.3 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

7.4 Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

7.5 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

8 Internet Communication Framework Security for Health and Safety. . . . . . . . . . . . . . . . . . . . . . . 47

9 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

10 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4910.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

10.2 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

10.3 Technical and Organizational Measures to Ensure Data Protraction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

10.4 Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

10.5 Read Access Logging of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Read Access Logging for Incident Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

10.6 Change Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

11 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

12 Dispensable Functions with Impacts on Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

13 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6213.1 SAP NetWeaver Business Client as User Front End. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

13.2 Documents (Including Virus Scanner). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

13.3 Forms and E-Mails Containing Java Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

13.4 Security Settings for the Report Incident App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

14 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

15 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6415.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

15.2 Security Chapter in the EarlyWatch Alert (EWA) Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

15.3 Security Optimization Service (SOS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

15.4 Security Configuration Validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

15.5 Security in the RunSAP Methodology / Secure Operations Standard. . . . . . . . . . . . . . . . . . . . . . . . . . 65

15.6 More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Security Guide for SAP EHS ManagementContent C U S T O M E R 3

1 Introduction

1.1 About this Document

The Security Guide provides an overview of the security-relevant information that applies to SAP EHS Management.

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

1.2 Target Audience

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

● Technology consultants● Security consultants● System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.

You can find the guides as specified in the table below:

Overview of Guides for SAP EHS Management

Guide Definition Link

Master Guide The central starting point for the technical implementation of the SAP EHS Management add-on. Get an overview of SAP EHS Management, its software units, system landscapes, and find important SAP Notes.

SAP Help Portal at http://help.sap.com/ehs-com

Operations Guide Information for technical and solution consultants as well as support specialists and system administrators about managing and maintaining your SAP applications to run optimally.


Introduction

http://help.sap.com/ehs-com


Guide Definition Link

Sizing Guide Information for system administrators, technical project managers, and consultants about sizing, calculation of hardware requirements, such as CPU, disk and memory resource.

1.3 Why is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to component extension 6.0 for SAP Environment, Health, and Safety Management (SAP EHS Management). To assist you in securing SAP EHS Management, we provide this Security Guide.

Data protection is very important in the following examples:

● In incident management, you have critical person-related information regarding absences or injuries.● In risk assessment, personal data about the risk assessment lead and the other persons involved in a risk

assessment are displayed.

Component extension 6.0 for SAP EHS Management assumes that agreements for storage of personal data are covered in individual work contracts. This also applies to notifications on initial data storage.

ExampleSeveral business processes within SAP EHS Management use SAP Business Workflow and e-mail inbound and outbound processing. It is not recommended that you grant the corresponding system users (such as WF_BATCH for Workflow System or SAPCONNECT for e-mail inbound processing) all authorizations of the system (SAP_ALL). In addition, this document describes the required authorizations and configuration for supporting business processes using SAP Business Workflow and the e-mail inbound and outbound scenario within the SAP EHS Management solution.

1.4 Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start○ This section contains information about why security is necessary, how to use this document, and

references to other Security Guides that build the foundation for this Security Guide.● Technical System Landscape

Security Guide for SAP EHS ManagementIntroduction C U S T O M E R 5

This section provides an overview of the technical components and communication paths that are used by SAP EHS Management.

● Security Aspects of Data, Data Flow and Processes

This section provides an overview of security aspects involved throughout the most widely-used processes within SAP EHS Management.

● User Administration and Authentication○ This section provides an overview of the following user administration and authentication aspects:○ Recommended tools to use for user management○ User types that are required by SAP EHS Management○ Standard users that are delivered with SAP EHS Management○ Overview of the user synchronization strategy, if several components or products are involved○ Overview of how integration into Single Sign-On environments is possible

● Authorizations○ This section provides an overview of the authorization concept that applies to SAP EHS Management.

● Session Security Protection○ This section provides information about activating secure session management, which prevents

JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).● Network and Communication Security

○ This section provides an overview of the communication paths used by SAP EHS Management and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Internet Communication Framework Security○ This section provides an overview of the Internet Communication Framework (ICF) services that are used

by SAP EHS Management.● Application-Specific Virus Scan Profile (ABAP)

○ This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.

● Data Storage Security○ This section provides an overview of any critical data that is used by SAP EHS ManagementSAP EHS

Management and the security mechanisms that apply.● Data Protection

○ This section provides information about how SAP EHS Management protects personal or sensitive data.● Security for Third-Party or Additional Applications

○ This section provides security information that applies to third-party or additional applications that are used with SAP EHS Management.

● Dispensable Functions with Impacts on Security○ This section provides an overview of functions that have impacts on security and can be disabled or

removed from the system.● Enterprise Services Security

○ This section provides an overview of the security aspects that apply to the enterprise services delivered with SAP EHS Management.

● Other Security-Relevant Information○ This section contains information about:○ SAP NetWeaver Business Client as a user front end○ Interactive forms


Introduction

○ E-mails with PDF attachments○ Documents (including virus scanner)

● Security-Relevant Logging and Tracing○ This section provides an overview of the trace and log files that contain security-relevant information, for

example, so you can reproduce activities if a security breach does occur.● Services for Security Lifecycle Management

○ This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.

● Appendix○ This section provides references to further information.

Security Guide for SAP EHS ManagementIntroduction C U S T O M E R 7

2 Before You Start

2.1 Fundamental Security Guides

SAP EHS Management is built from the following components:

● SAP NetWeaver● SAP BI● SAP Embedded Search (SAP NetWeaver Enterprise Search)● SAP BusinessObjects● SAP Interactive Forms

Therefore, the corresponding Security Guides also apply to the SAP EHS Management. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

Application of Components

Scenario, Application or Component Security Guide

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver Business Client

SAP Basis / Web AS Security Guides

SAP Business Connector Security Guide

SAP NetWeaver Business Warehouse Security Guides

SAP BusinessObjects (formerly, SAP Business User)

SAP Interactive Forms solution Security Guides

SAP NetWeaver Enterprise Search 7.2.Security Guide

2.2 Important SAP Notes

The most important SAP Notes that apply to the security of SAP EHS Management are shown in the table below.

Important SAP Notes

Title SAP Note Comment

128447 Trusted/Trusting Systems

510007 Setting up SSL on the Web Application Server ABAP


Before You Start

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsap%2Fsupport%2Fnotes%2F128447


Title SAP Note Comment

517484 Inactive Services in the Internet Communication Framework

1367252 SAP NetWeaver Enterprise Search 7.2: Security Guide.

1590784 EHSM: Necessary changes in the Attachment Folder Customizing

For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Support Portal at https://support.sap.com/securitynotes .

For more information about specific topics, see the Quick Links as shown in the table below.

Quick Links

Content Link

Security http://scn.sap.com/community/security

Related SAP Notes https://support.sap.com/notes

https://support.sap.com/securitynotes

Product Availability Matrix http://support.sap.com/release-upgrade-maintenance/pam.html

SAP Solution Manager https://support.sap.com/solutionmanager

SAP NetWeaver http://scn.sap.com/community/netweaver

Security Guide for SAP EHS ManagementBefore You Start C U S T O M E R 9




http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsecuritynotes


http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fsecurity

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fnotes


http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Frelease-upgrade-maintenance%2Fpam.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Frelease-upgrade-maintenance%2Fpam.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsolutionmanager

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fnetweaver

3 Technical System Landscape

The figure below shows an overview of the technical system landscape for SAP EHS Management.

For more information about the technical system landscape of SAP EHS Management, as well as integrated systems, see the SAP EHS Management Master Guide on the SAP Help Portal at http://help.sap.com/ehs-com.

Figure 1: Process Integration System Overview depicts which functional modules are integrated into SAP EHS Management processes and can reside on separate systems. The systems can be connected via RFC.

We assume that the central system for master data will provide the initial setup of Customizing and master data for SAP EHS Management via Customizing transports and ALE replication (such as material master and plants).

Process Integration System Overview

For these RFC calls, we recommend you distribute the SAP EHS Management users to the other systems as needed to read HR data, for example, and to enable Single Sign-On (SSO) for those users.

For more information about the technical system landscape, see the resources listed in the table below.


Technical System Landscape


Technical System Landscape Resources

Topic Guide/Tool Link on the SAP Support Portal or SCN

Technical description for SAP EHS Management

and the underlying components such as SAP NetWeaver

Master Guide http://help.sap.com/ehs-com

High availability See applicable documents http://scn.sap.com/docs/DOC-7848

Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140

Security See applicable documents http://scn.sap.com/community/security

Security Guide for SAP EHS ManagementTechnical System Landscape C U S T O M E R 11


http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fdocs%2FDOC-7848

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fdocs%2FDOC-8140%2520



4 User Administration and Authentication

4.1 Introduction

SAP EHS Management uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP and Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] and SAP NetWeaver Application Server Java Security Guide [SAP Library] also apply to SAP EHS Management.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to SAP EHS Management in the following topics:

● User ManagementThis topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP EHS Management.

● User Data SynchronizationSAP EHS Management shares user data with:○ SAP EHS Management system○ BI system○ Other ERP systems (HR, PM, QM, and CS)

This topic describes how the user data is synchronized with these other sources.● Integration into Single Sign-On Environments

This topic describes how SAP EHS Management supports Single Sign-On mechanisms.

4.2 User Management

User management for SAP EHS Management uses the mechanisms provided with the SAP NetWeaver Application Server ABAP and Java, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP EHS Management, see the sections below. In addition, we provide a list of the standard users required for operating SAP EHS Management.

4.2.1 User Administration and User Management Tools

The table below shows the tools to use for user management and user administration with SAP EHS Management.


User Administration and Authentication

User Management and Administration Tools

Tool Detailed Description

User and role maintenance with SAP NetWeaver AS ABAP (transactions SU01 and PFCG)

For more information, see Users and Roles (BC-SEC-USR) on SAP Help Portal at http://help.sap.com.

User Management Engine with SAP NetWeaver AS Java For more information, see User Management Engine on SAP Help Portal at http://help.sap.com.

Central User Administration (CUA) Use the CUA to centrally maintain users for the various systems used by SAP EHS Management.

Set user for Enterprise Search data extraction (report ESH_EX_SET_EXTRACTION_USER

Embedded Search extraction user and extraction roles have to be set up with this report

Manage analysis authorizations (transaction RSECADMIN) Provides all necessary tools to maintain analysis authorizations

4.2.2 User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types that are required for SAP EHS Management include:

● Individual users:○ Dialog users are used for the dialog processing and for the RFC connection to the Adobe Document

Service (ADS), for example. (Used for SAP GUI for Windows or RFC connections.)○ Communication users are used for e-mail inbound processing (such as SAPCONNECT).○ Background users are used for Embedded Search extraction, BI extraction and the SAP Business

Workflow Engine (such as WF-BATCH).

For more information about these user types, see User Types on SAP Help Portal at http://help.sap.com in the SAP NetWeaver AS ABAP Security Guide.

4.2.3 Standard Users

The table below shows the standard users that are necessary for operating SAP EHS Management.

Standard Users

System User ID Type Password Description

SAP EHS Management ERP System

Business Processing User

Dialog User To be entered Business User of SAP EHS Management

Security Guide for SAP EHS ManagementUser Administration and Authentication C U S T O M E R 13

http://help.sap.com

http://help.sap.com

http://help.sap.com

System User ID Type Password Description

SAP EHS Management BI System

Business Processing User for Reporting functionality

Dialog User To be entered Business User of SAP EHS Management mapped to the Business Processing User in SAP EHS Management ERP System


E-mail Inbound Processing user

Communication user Not needed User to process the incoming e-mails of SAP EHS Management


BI Extractor User Background user Not needed User for the BI extraction of SAP EHS Management data


Embedded Search Extractor User

Background user Not needed User for the Embedded Search extraction will be created via report ESH_EX_SET_

EXTRACTION_USER


Workflow Engine batch user

Background user Not needed User for the background processing of workflows in SAP EHS Management


PRC Worklist Generation User

Background user Not needed User for the background processing of product compliance worklists


PRC Automated Change Processing User

Background user Not needed User for the background automated processing of compliance data changes in the product compliance area


PRC Supplier Change Monitor

Background user Not needed User for the background monitoring of changes in supplier to material assignment


Automatic Data Collection User

Background user Not needed EM-BATCH user with the role SAP_BC_BMT_WFM_SERV_USER for the automatic collection of environmental data

You need to create the users after the installation.

RecommendationUsers are not automatically created during installation. In consequence, there is no requirement to change their user IDs and passwords after the installation.


User Administration and Authentication

4.3 User Data Synchronization

To avoid administrative effort, you can employ user data synchronization in your system landscape.

Since SAP EHS Management is based on SAP NetWeaver, all the mechanisms for user data synchronization of SAP NetWeaver are available for SAP EHS Management.

4.4 Integration into Single Sign-On Environments

SAP EHS Management supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide on SAP Help Portal at http://help.sap.com also apply to SAP EHS Management.

The most widely-used supported mechanisms are listed below:

● Secure Network Communications (SNC)SNC is available for user authentication and provides an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

● SAP logon ticketsSAP EHS Management supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly after the system has checked the logon ticket.

● Client certificatesAs an alternative to user authentication with a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information about the available authentication mechanisms, see User Authentication and Single Sign-On on SAP Help Portal at http://help.sap.com in the SAP NetWeaver Library.

Security Guide for SAP EHS ManagementUser Administration and Authentication C U S T O M E R 15

http://help.sap.com

http://help.sap.com

5 Authorizations

5.1 Role and Authorization Concept for SAP EHS Management

SAP EHS Management uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP EHS Management.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s user administration console on the AS Java.

NoteFor more information about how to create roles, see Role Administration [SAP Library].

5.2 Authorizations for RFC Calls

In SAP EHS Management, multiple BAPIs and RFC-enabled function modules are used to create, update, and read the data of other SAP applications from (optional) other ERP systems. Thus, the authorization for using these BAPIs and function modules (via Web Dynpro, for example), should be restricted to users who are intended to have these authorizations and corresponding access to the data. For more information about creating roles and the authorization concept, see AS ABAP Authorization Concept on SAP Help Portal at http://help.sap.com → SAP NetWeaver 7.4.

5.3 Standard Roles

The table below shows the standard roles that are used by SAP EHS Management.

SAP EHS Management delivers simultaneous end user roles for the ERP system to synchronize the menu structures for end users, regardless of whether the user has decided to use a Web browser or NetWeaver Business Client (NWBC) as a front end.

The following standard roles support the processes of SAP EHS Management. Technically, the services of these roles are of the following types: Web Dynpro ABAP, Power Object Worklist (POWL), Report Launchpad, BI queries, BI dashboards based on Adobe Flash Player and transactions. Unless shown in the table below, the roles are delivered without authorization profiles. The authorization profiles are then generated from these roles.


Authorizations

http://help.sap.com

Standard Roles

Role Description

SAP_EHSM_MASTER Master PFCG role for all incident management, risk assessment and product safety and stewardship functionality. This role is intended for use as a copy template for the menu structures of the end user roles that are currently assigned.

SAP_EHSM_PROCESS_ADMIN End user role for the person who is technically responsible for the workflow-based processes of EHS Management. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

This role can receive workflow items.

SAP_EHSM_HSS_BW_ANALYTICS End user role for the person who analyzes incidents and risk assessments, as well as the executed processes. This role contains the navigation point Analytical Reports that includes the report launchpad for the health and safety work area with access to all dashboards and queries.

For this role, a SAP Business Warehouse (BW) system with BI Content for SAP EHS Management must be installed.

SAP_EHSM_FND_WF_BI_EXTR System user role for the extraction of BI data. This role contains the authorization profiles needed to extract the workflow data for workflow reporting in BI.

SAP_EHSM_FND_WF_PERMISSION System user role for the Workflow Engine. This role contains the additional authorization profiles needed to process the workflows in the background.

The users who process the workflows in the background should, in addition to the SAP_EHSM_FND_WF_PERMISSION role, be assigned the SAP_BC_BMT_WFM_SERV_USER role.

For processing incident management workflows, the users should also receive the same authorizations as the SAP_EHSM_HSS_INCIDENT_MANAGER role.

For processing risk assessment workflows, the users should also receive the same authorizations as the SAP_EHSM_HSS_ENVMGR, SAP_EHSM_HSS_HYGIENIST, and SAP_EHSM_HSS_SAFEMGR.

For processing environmental management workflows, the users should also receive the same authorizations as the SAP_EHSM_HSS_ENVMGR,

For processing product compliance workflows, the users should also receive the same authorizations as the roles SAP_EHSM_PRC_COMPL_ENG, SAP_EHSM_PRC_COMPONENT_ENG, and SAP_EHSM_PRC_BASMAT_SPEC.

Security Guide for SAP EHS ManagementAuthorizations C U S T O M E R 17

Role Description

SAP_EHSM_HSS_EML_REC System user role for the e-mail recipient. This role contains the authorization profiles needed to receive and process e-mails.

SAP_EHSM_FND_MIGRATION End user role for the migration. You use this role to access the Legacy System Migration Workbench. Depending on the content you want to migrate, you still need to configure and assign the corresponding business role (including the profiles).

For example, to access the incident business object and migrate the incident content, you also need the SAP_EHSM_HSS_INCIDENT_MANAGER role assigned (along with the corresponding profiles).

NoteTo restrict access to data for users who execute analytical reports (BI Content), proceed as follows:

1. Flag the necessary InfoObjects as being authorization–relevant.2. Adjust the queries.3. Define the necessary analysis authorizations.4. Assign the authorizations to users.

For more information, see the Security Guide for SAP NetWeaver BI.

5.3.1 Scenario Health and Safety

The roles in the tables below are relevant for managing incident, managing EHS risk, and managing chemicals for health and safety processes.

Standard Roles for Managing Incidents

Role Description

SAP_EHSM_HSS_INCIDENT_MANAGER / End user role for the incident manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


SAP_EHSM_HSS_INCIDENT_REPORTER / End user role for the incident reporter. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


Authorizations

Role Description

SAP_EHSM_HSS_INCIDENT_NOTIFIED / End user role for a person who is notified during the processing of an incident. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


SAP_EHSM_HSS_INCIDENT_ESH_EXTR System user role for the Embedded Search extraction. This role contains the authorization profiles needed to extract the BO incident for the Embedded Search.

SAP_EHSM_HSS_INCIDENT_BI_EXTR System user role for the BI extraction. This role contains the authorization profiles needed to extract the BO incident for incident reporting in BI.

SAP_EHS_INC_REPORINCIDENT_APP System user role for the users of the app Report Incident. This role contains authorization proposals needed to use the app Report Incident.

Standard Roles for Managing EHS Risks

Role Description

SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_HSS_HYGIENIST End user role for the industrial hygienist. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_HSS_SAFEMGR End user role for the safety manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_HSS_LINEMGR End user role for the line manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_HSS_RAS_BI_EXTR System user role for the BI extraction. This role contains the authorization profiles needed to extract the risk assessment data for risk assessment reporting in BI.

SAP_EHSM_HSS_HSMGRCORP End user role for the corporate health and safety manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_HSS_SMPLTECH End user role for the sampling technician. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


Standard Roles for Managing Chemicals

Role Description

SAP_EHSM_HSS_HAZSUBMGR End user role for the hazardous substance manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

For further details see role documentation.

SAP_EHSM_HSS_CHEMAPPR End user role for the chemical approver. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


SAP_EHSM_HSS_SDSCLERK End user role for the safety datasheet clerk. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


SAP_EHSM_HSS_CHEMREQ End user role for the chemical requestor. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.


5.3.2 Scenario Environment Management

In the environment management component, for the automatic data collection to be set up, an RFC connection has to be configured in the source system to use the EM-BATCH user for system access. In the target system, the user EM-BATCH should be used for running the automatic data collection process. The EM-BATCH user should have the SAP_BC_BMT_WFM_SERV_USER role with Execution activity authorizations for the S_RFC authorization object.

Additionally, the EM-BATCH user should have Maintain activity authorizations for the EHENV_SCEN authorization object for the relevant locations to be able to store the collected data in the target system. These authorizations can be configured in a Z-role derived from the SAP_EHSM_HSS_ENVMGR master role.

The standard system is delivered with a restriction on the number of imported data records with their corresponding number of external source tags per single run of the automatic data import. If you try to import more than 1.000.000 data records with up to 1.000 external source tags in a single run of the automatic import, the system will stop the import with a warning message.

The roles in the table below are relevant for managing emissions.


Authorizations

Standard Roles for Managing Emissions

Role Description

SAP_EHSM_HSS_ENVMGR End user role for the environmental manager. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

SAP_EHSM_ENV_TECHNICIAN End user role for the environmental technician. This role assigns the menu structure in NWBC to the end user and the necessary authorizations in the ERP system.

5.3.3 Scenario Product Compliance

The roles in the table below are relevant for managing product compliance.

Standard Roles for Managing Product Compliance

Role Description

SAP_EHSM_ADMINISTRATOR Administrator role for the person who monitors changes in master data for product compliance, compliance objects, and the application log. This person also corrects data issues, enters data for customers and suppliers, and manually imports incoming documents either from the front-end system or from an application server.

SAP_EHSM_PRC_COMPL_CONSUMER End user role for the compliance consumer. This role can be adapted for use as four different sub-roles: purchasing agent, sales and services representative, mechanical engineer, and electrical engineer. This user role is responsible for maintaining awareness of regulations and compliance requirements and, depending on the purpose, can be responsible for maintaining product knowledge and data, configuring customer orders, scheduling service requests, research, and evaluating product data, or designing, testing and analysis of components.

SAP_EHSM_PRC_COMPL_MGR End user role for the compliance manager. This user role monitors compliance-related programs for product lines, and defines policies and procedures for other departments to ensure compliance. The compliance manager approves the manufacturing processes and equipment that will be used in production, and supervises design compliance.

SAP_EHSM_PRC_COMPL_ENG End user role for the compliance engineer. This user role monitors daily operations that contribute to ensuring compliance. The compliance engineer is responsible for the company compliance data set. He or she maintains compliance data in cooperation with the engineering teams, and cooperates with the compliance manager for up-to-date information about regulations. This role is involved in material-based and component-based engineering changes and new product reviews.


Role Description

SAP_EHSM_PRC_COMPONENT_ENG End user role for the component engineer. This user role selects and works with electrical or other components to be incorporated into future products, and handles management and documentation of purchased components. The component engineer approves parts obtained externally, works closely with vendors, and ensures compliance by following the established procedures and policies.

SAP_EHSM_PRC_BASMAT_SPEC End user role for the basic material specialist. This user role is responsible for the selection of appropriate materials and surfaces for design parts, and approves their release for use. The basic material specialist decides the specific application of materials and surfaces, and maintains the material database.

SAP_EHSM_PRC_BW_ANALYTICS End user role for the person who analyzes product safety and stewardship assessments, as well as the executed processes. This role contains the navigation point Analytical Reports that includes the report launchpad for the product safety and stewardship work area with access to all dashboards and queries.

For this role, a SAP Business Warehouse (BW) system with BI Content for SAP EHS Management must be installed.

SAP_EHSM_PRC_AUTO_CHANGE_PROC System user role for the automated change processing. This role contains the authorization profiles needed to determine compliance information that is affected by a relevant change and executing the worklist of pending compliance information.

SAP_EHSM_PRC_REG_CHG_WLIST_PRO System user role necessary for background processing of PRC Regulatory Change Worklist Generation (program R_EHPRC_WL_REGCHG_GENERATE) and PRC Regulatory Change Worklist Post Processing (program R_EHPRC_WL_REGCHG_POST_PROC).

SAP_EHSM_PRC_SUPPL_CHNG_PROC This role contains as a suggestion all relevant authorization data necessary for background processing of PRC Supplier Change Processing.

Supplier Change Monitor

The program R_EHPRC_PBB_SUPPL_CHNG_MON is executed in background processing in order to monitor changes in supplier to material assignment and to start the workflow 'Decide and Prepare for Assessment' if necessary.

SAP_BCV_USER System user role for the display of Business Context Viewer (BCV). This role contains the authorization profiles and menus needed to display a BCV side panel and the BCV configuration.

SAP_BCV_ADMIN System user role for the administration of Business Context Viewer (BCV). This role contains the authorization profiles and menus needed to administrate the BCV configuration.


Authorizations

Role Description

SAP_EHSM_PRC_BI_EXTR System user role for the BI extraction. This role contains the authorization profiles needed to extract the compliance data for Product and Stewardship reporting in BI.

SAP_EHSM_PRC_EML_REC System user role for the e-mail recipient. This role contains the authorization profiles needed to receive and process e-mails.

5.4 Standard Authorization Objects

The tables below show the security-relevant authorization objects that are used by SAP EHS Management.

Standard Authorization Objects

Authorization Object Field Value Description

EHFND_CHDC (Change Document)

ACTVT 03 (Display) Activity

BO_NAME EHFND_LOCATION (Location)

EHHSS_INCIDENT (Incident)

EHHSS_INCIDENT_ACTION (Incident Action)

EHHSS_RISK_ASSESSMENT (Risk Assessment)

EHHSS_RAS_ACTION (Risk Assessment Action)

EHHSS_RISK (Risk)

EHHSS_AGENT (Agent)

EHHSS_JOB (Job)

EHFND_DATA_AMOUNT (Amount)

EHFND_DATA_SERIES (Data Series)

EHFND_CHEMICAL (Chemical)

Business Object Name



EHFND_LOC

(Location)

ACTVT 01 (Create or generate)

02 (Change)

03 (Display)

06 (Delete)

A3 (Change status)

Activity

LOCAUTHGRP Location Authorization Group

LOCBUSAREA Business Area

LOCCOMP Company Code

LOCCOST Cost Center

LOCPLANT Plant ID

LOCSTATUS 01 (New)

02 (Active)

03 (Inactive)

04 (Historic)

Location Status

LOCTYPE Location Type

EHFND_DCTR

(Default Controls)


02 (Change)

03 (Display)

06 (Delete)

Activity

S_PB_CHIP

(Chips for side panel)


02 (Change)

03 (Display)

06 (Delete)

16 (Execute)

Activity

(03 and 16 are needed for displaying the information in the side panel)


Authorizations


CHIP_NAME X-SAP-WDY-CHIP:EHFNDWDCHIP_LOC_STRUCT

X-SAP-WDY-CHIP:EHHSSWDCHIP_ASSWRKF_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_INC_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC_LIST

X-SAP-WDY-CHIP:EHHSSWDCHIP_RSK_LOC

X-SAP-WDY-CHIP:EHHSSUCWCHP_ASSWRKF

X-SAP-WDY-CHIP:EHHSSUCWCHP_INC_LOC

X-SAP-WDY-CHIP:EHHSSUCWCHP_APPRCHEM

X-SAP-WDY-CHIP:EHFNDUCWCHP_EASYWORKLIST

X-SAP-WDY-CHIP:EHFNDUCWCHP_LAUNCHPAD

X-SAP-WDY-CHIP:FND_UI_CHM_SAFETY_INSTR_CHIP

X-SAP-WDY-CHIP:BSSP_SW_FEEDS

X-SAP-WDY-CHIP:BSSP_SW_ACTIVITIES

X-SAP-WDY-CHIP:BSSP_NOTES

X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_ALOC_VB_CHIP

X-SAP-WDY-CHIP: EHFND_UI_CHM_OVP_APPR_LOC_CHIPX-SAP-WDY-CHIP: EHFND_UI_CHM_SAFETY_INSTR_CHIPX-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP

Web Dynpro ABAP: CHIP ID



X-SAP-WDY-CHIP: EHHSSUCWCHP_SPLCP_HEATMAP

X-SAP-WDY-CHIP:EHHSSUCWCHP_SPLPH

S_PB_PAGE

(Configuration for side panel and home pages)


02 (Change)

03 (Display)

06 (Delete)

Activity

CONFIG_ID EHFND_LOC_OIF_SIDE_PANEL

EHFND_CHM_SIDE_PANEL

EHHSS_HAZSUBMGR_HOMEPAGE

EHHSS_HYGIENIST_HOMEPAGE

EHHSS_INC_MANAGER _HOMEPAGE

EHHSS_HSMGRCORP_HOMEPAGE

EHHSS_SMPLTECH_HOMEPAGE

Configuration Identification

PERS_SCOPE 0 (No Personalization

1 (User))

2 (View Handle)

4 (All)

5 (Configuration)

Web Dynpro: Personalization

EHFND_DTS

(Data Series)


02 (Change)

03 (Display)

06 (Delete)

Activity





Authorizations


LOCPLANT Plant ID

LOCSTATUS 01 (New)

02 (Active)

03 (Inactive)

04 (Historic)

Location Status


EHFND_WFT (Workflow Tools)

ACTVT 16 (Execute) Activity

TCD All transactions of workflow tools

Transaction Code

EHFND_WFF (Workflow and Processes)

EHSM_COMP HSS (Health and Safety) Component of EHS Management

PURPOSE Process Purpose (see Customizing activity Specify Process Definitions)

Process Purpose

EHSM_PVAR Process Variant (see Customizing activity Specify Process Definitions)

Name of Process Variant

EHSM_PCACT CANCELPROC (Cancel Process)

Activity of Task or Process

EHFND_EXPP

(Export Profile)

ACTVT 01 (Create, Generate) Activity

EHFND_EXPP Configured Export Profile

EHFND_CHM

(Chemical)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_REGL

(Regulatory List Content)


02 (Change)

03 (Display)

06 (Delete)

Activity

The following table contains authorization objects that are relevant for SAP EHS Management if you integrate the system with other SAP components.


Authorization Objects for Integration

Authorization Object General Settings Further Information

P_ORGIN

(HR: Master data)

Display authorizations are required for specific infotypes.

See Customizing for SAP EHS

Management under Foundation for

EHS Management Integration

Human Resources Integration Check

Authorizations for Person Information

P_ORGXX

(HR: Master data - extended check)

Activation of the check by this authorization object is required. P_ORGXX can be used in addition to or instead of the check by the authorization object HR: Master Data.

P_APPL

(HR: Applicants)

Display authorizations are required for specific infotypes.

B_BUPA_RLT

(Business partner: BP roles)

Authorizations are required for the following BP roles:

CBIH10 - External person

HEA010 - Physician

HEA030 - Health center (hospital)

B_BUPA_FDG

(Business partner: field groups)

Special authorization check for individual field groups in the business partner dialog box.

5.4.1 Scenario Health and Safety

The authorization objects in the tables below are relevant for managing incident, managing EHS risk, and managing chemicals for health and safety processes.


Authorizations

Authorization Objects for Incident Management


EHHSS_INC1 (Incident) ACCESS_LEV 000 (Basic Information / Standard Data)

001 (Person Involved Access)

002 (Injury / Illness Access)

003 (Confidential Access)

004 (Date of Birth Access)

Incident Access Level

For more information about creating and assigning access levels to tabs, see the Customizing activities under

SAP EHS Management

Incident Management

General Information :

Create Incident Access Levels

Assign Access Levels to Tabs


02 (Change)

03 (Display)

06 (Delete)

60 (Import)

C5 (Reopen)

Activity

Note that activity Reopen has been added with version 2.0. If you have already used this authorization object in version 1.0, you may want to update your roles with this additional activity.

INC_CATEG 001 (Incident)

002 (Near Miss)

003 (Safety Observation)

Incident Category

INC_STATUS ' '

00 (Void)

01 (New)

02 (In Progress)

03 (Closed)

04 (Re-opened)

Incident Record Status

ORGUNIT_ID Organizational Unit ID

PLANT_ID Plant ID

EHHSS_INC2 (Incident Report)


02 (Change)

03 (Display)

06 (Delete)

Activity

FORM_NAME All forms for reporting Form Name



ORGUNIT_ID Organizational Unit ID

PLANT_ID Plant ID

EHHSS_INC3 (Incident Group)

ACTVT 02 (Change)

03 (Display)

06 (Delete)

Activity

NM_GROUP EHHSS_NMG_UNS_ACTION (Unsafe action)

EHHSS_NMG_UNS_COND (Unsafe condition)

EHHSS_NMG_UNS_EQU (Unsafe equipment)

EHHSS_NMG_UNS_USE_EQU (Unsafe use of equipment)

Near Miss Group

SO_GROUP EHHSS_SOG_DOC_PROC_NF (Documented procedure not followed)

EHHSS_SOG_FAIL_USE_PE (Failure to use personal protective equipment)

EHHSS_SOG_HORSEPLAY (Horseplay)

EHHSS_SOG_UNS_LIF_CAR (Unsafe lifting or carrying)

EHHSS_SOG_UNS_USE_ETV (Unsafe use of equipment, tool or vehicle)

EHHSS_SOG_UNS_USE_MAT (Unsafe use of material)

EHHSS_SOG_USE_DEF_ETV (Use of defective equipment, tool or vehicle)

EHHSS_SOG_USE_DEF_MAT (Use of defective material)

Safety Observation Group


Authorizations


INC_GROUP EHHSS_IGR_DEVIATION (Deviation)

EHHSS_IGR_NOT_OF_VIOL (Notice of Violation)

EHHSS_IGR_OCC_INC (Injury/Illness)

EHHSS_IGR_RELEASE (Release)

Incident Group

INC_NO_GRP 001 (Incident)

002 (Near miss)

00w3 (Safety observation)

Incident Category

EHHSS_INC5 (Incident by Location)


02 (Change)

03 (Display)

06 (Delete)

Activity

LOCTYPE Business Unit

Equipment

Production Unit

Site

Work Center

Location Type

LOCSTATUS 01 (New)

02 (Active)

03 (Inactive)

04 (Historic)

Location Status

LOCAUTHGRP Unrestricted Access Location Authorization Group

LOCPLANT Plant ID

LOCCOST Cost Center



LOCCOUNTRY Country

LOCREGION Region



EHHSS_CLR (Allowance to Change Limits for Analytic Reports)

ACTVT 16 (Execute) The execute authorization is required to be able to maintain limits for analytical reporting. Only those users who have this authorization have an entry in the report launchpad that allows users to maintain the limits.

S_TABU_DIS DICBERCL EHMI (Incident)

EHMF (Foundation)

Authorization Group

ACTVT Activity

S_PROGRAM P_GROUP EHINCXML (XML reports)

EHFNDPRG (Foundation program authorization)

EHFNDWFT(Workflow tools)

EHHSSINC (Incident management)

Authorization group ABAP/4 program

P_ACTION SUBMIT User action ABAP/4 program

Authorization Objects for Risk Assessment


EHHSS_AGT

(Agent)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_CTRL

(Control Master Data)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_DSC

(Dynamic Statement Creation in Control Master Data)

EHFND_DSCC DSC_MAPPING_021 Dynamic Statement Creation enabled fields

EHHSS_JOB

(Job)


02 (Change)

03 (Display)

06 (Delete)

Activity


Authorizations


EHHSS_PEP

(Personal Exposure Profile)


PERSA Personnel Area

BTRTL Personnel Subarea

EHHSS_RAS

(Risk Assessment, Risks, Controls on Risks and Control Inspections)


02 (Change)

03 (Display)

06 (Delete)

A8 (Process mass data)

Activity

RAS_TYPE EHHSS_RAT_ENV (Environment)

EHHSS_RAT_HEA (Health)

EHHSS_RAT_JHA (Job Hazard Analysis)

EHHSS_RAT_SAF (Safety)

Risk Assessment Type


LOCPLANT Plant ID

LOCCOST Cost Center



EHHSS_RASP

(Proposal of Health Surveillance Protocol in Risk Assessment)

ACTVT 01 Create or generate

02 Change

03 Display

06 Delete

Activity

HSP_TYPE Health Surveillance Protocol Type

EHHSS_HSP

(Health Surveillance Protocol Master Data)


02 Change

03 Display

06 Delete

Activity

HSP_TYPE Health Surveillance Protocol Type

COUNTRY Country Key

REGIO Region (State, Province, County)



S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group

S_PROGRAM P_GROUP EHFNDPRG (Foundation program authorization)

EHFNDWFT (Workflow tools)

EHHSSRAS (Risk Assessment)



Authorization Objects for Chemicals for Health and Safety Processes


EHFND_CHM

(Chemical)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_CHA

(Chemical Approval)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_DCTR

(Default Controls)


02 (Change)

03 (Display)

06 (Delete)

Activity


Authorizations


EHFND_DSC

(Dynamic Statement Creation)

EHFND_DSCC DSC_MAPPING_000

DSC_MAPPING_001

DSC_MAPPING_002

DSC_MAPPING_003

DSC_MAPPING_004

DSC_MAPPING_005

DSC_MAPPING_006

DSC_MAPPING_007

DSC_MAPPING_008

DSC_MAPPING_009

DSC_MAPPING_010

DSC_MAPPING_011

DSC_MAPPING_012

DSC_MAPPING_013

DSC_MAPPING_014

DSC_MAPPING_015

DSC_MAPPING_016

DSC_MAPPING_017

DSC_MAPPING_018

DSC_MAPPING_019

DSC_MAPPING_020

DSC_MAPPING_021

EHFND_DSC

(Dynamic Statement Creation)

EHFND_RCH

(Request Chemical)


02 (Change)

03 (Display)

06 (Delete)

Activity

(01 and 02 are needed for using the service “request chemical approval”

EHFND_VEN

(Vendor)


02 (Change)

03 (Display)

06 (Delete)

Activity



EHHSS_SI

(Safety Instruction)


02 (Change)

03 (Display)

06 (Delete)

Activity

EHFND_SPL

(Sample Management)

ACTVT 03 (Display)

16 (Execute)

23 (Maintain)

Activity

EHSM_COMP Component of EHS Management


LOCPLANT Plant ID

LOCCOST Cost Center



EHFND_SPLM

(Sampling Method)


02 (Change)

03 (Display)

06 (Delete)

Activity

S_TABU_DIS DICBERCL EHMR (Risk Assessment) Authorization Group

S_PROGRAM P_GROUP EHFNDPRG (Foundation program authorization)

EHFNDWFT (Workflow tools)

EHHSSRAS (Risk Assessment)



In addition to the authorization objects in the table above, the standard authorization objects under 5.4 are also relevant for managing chemicals for health and safety processes.

5.4.2 Scenario Environment Management

The authorization objects in the table below are relevant for managing emissions.


Authorizations

Authorization Objects for Environment Management


EHFND_REQ ACTVT 03 (Display)

23 (Maintain)

Activity

REQDOMAIN Compliance Requirement Domain

LOCCOUNTRY Country

LOCREGION Region

EHENV_SCEN ACTVT 03 (Display)23 (Maintain)

76 (Enter)

Activity


LOCSTATUS Location Status


LOCPLANT Plant ID

LOCCOST Cost Center



LOCCOUNTRY Country

LOCREGION Region

S_PB_CHIP CHIP_NAME X-SAP-WDY-CHIP:EHENV_CHIP_ENTER_VALUES

X-SAP-WDY-CHIP:EHENVUCWCHP_ISSUESWORKLIST


5.4.3 Scenario Product Compliance

The authorization objects in the table below are relevant for managing product compliance.


Authorization Objects for Product Compliance


EHPRC_CMWL (Compliance Management Worklist (CMWL))


02 (Change)

03 (Display)

06 (Delete)

Activity

WL_CAT REG_CHG (Follow-Up Regulatory Change)

Worklist Category

EHPRC_CPM (RCS: Campaign Usage)


02 (Change)

03 (Display)

Activity

EHPRC_OLM1 (RCS: Object List Usage)


02 (Change)

03 (Display)

Activity

EHPRC_OLGR See IMG activity Specify Object List Groups under SAP EHS Management -> Product Compliance -> General Configuration

Object List Group

EHPRC_CDO: RCS: Authorization Object for Compliance Object


02 Change

03 Display

06 Delete

Activity

REQ Compliance Requirement (Check)

REV_STATUS Compliance Data Revision Status

CDCATEGORY Compliance Data Category

S_PB_CHIP

(ABAP Page Builder: CHIP)

ACTVT 03 (Display)

16 (Execute)

Activity

Needed for displaying information on the side panel

CHIP_NAME X-SAP-WDY-CHIP:/BCV/CHIP*

X-SAP-WDY-CHIP:EHPRC_CW_BCV_CHIP1

EHPRCWDCHIP_SPBN



Authorizations


S_PB_PAGE

(ABAP Page Builder: Page Configuration)



CONFIG_ID /BCV/SIDEPANEL Configuration Identification

PERS_SCOPE 1 (User)) Web Dynpro: Personalization

BCV_SPANEL

(Execute Side Panel)

ACTVT 16 (Execute) Activity


BCV_CTXKEY EHPRC_COMPL_DATA Context Key

BCV_USAGE

(Business Context Viewer usage)

ACTVT US (Use) Activity


BCV_QRYVW

(Query View)




BCV_QRYVID ID of Query View

BCV_QUERY

(Query)




BCV_QRY_ID Query ID

BCV_QUILST

(Overview)




BCV_QUIKID ID of Overview

5.5 Critical Combinations

The EHFND_WFT authorization object activates buttons in the BI dashboard Process Dashboard that start an object-based navigation to the workflow tools. The navigation targets are only delivered with the standard role SAP_EHSM_PROCESS_ADMIN. In consequence, this authorization shall not be assigned to any users apart from those who are assigned the SAP_EHS_PROCESS_ADMIN role.


5.6 Creating Custom Roles

The SAP EHS Management roles that are delivered contain specific configuration such as object-based navigation (OBN). In consequence, customizing these roles has a certain level of complexity. Custom roles can easily be created as follows without losing their specific configuration:

1. Create your custom PFCG role.2. Copy the menu structure from the SAP_EHSM_MASTER role or the others that are delivered.3. Generate the authorization profile.4. Assign the custom role to end users.


Authorizations

6 Session Security Protection

6.1 Introduction

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend activating secure session management.

We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

6.2 Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and to activate the session security for the client(s) using the transaction SICF_SESSIONS.

For more information, a list of the relevant profile parameters, and detailed instructions, see http://help.sap.com under SAP Business Suite Special Topics HTTP Session Security Protection Activating HTTP Security Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.

6.3 Session Security Protection on the AS Java

On the AS Java, set the HTTP Provider properties as described here: http://help.sap.com under TechnologyAdministration Application management Web Container HTTP Provider Service .

Security Guide for SAP EHS ManagementSession Security Protection C U S T O M E R 41

http://help.sap.com

http://help.sap.com

7 Network and Communication Security

7.1 Introduction

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system level and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP EHS Management is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP EHS Management. Details that specifically apply to SAP EHS Management are described in the following topics:

● Communication Channel SecurityThis topic describes the communication paths and protocols used by SAP EHS Management.

● Network SecurityThis topic describes the recommended network topology for SAP EHS Management. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the <scenario, component, application>.

● Communication DestinationsThis topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security [SAP Library]● Security Guides for Connectivity and Interoperability Technologies [SAP Library]

7.2 Communication Channel Security

The table below shows the communication channels used by SAP EHS Management the protocol used for the connection and the type of data transferred.

42 C U S T O M E RSecurity Guide for SAP EHS ManagementNetwork and Communication Security

http://help.sap.com/saphelp_nwmobile71/helpdata/en/41/798f0b1a361036e10000000a114cbd/frameset.htm

http://help.sap.com/saphelp_snc700_ehp01/helpdata/en/4a/6d81b7c952619fe10000000a421937/frameset.htm

Communication Data Paths and Protocols

Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection

NetWeaver Business Client to SAP EHS Management application server

RFC PFCG Roles including their menu structure

NetWeaver Business Client to SAP EHS Management application server

HTTPS User Interfaces in Web Dynpro ABAP, POWL, Report Launchpad

Web Browser to SAP EHS Management application server

HTTPS User Interfaces in Web Dynpro ABAP, POWL, Report Launchpad

Web Browser to SAP EHS Management application server if SAP GUI for HTML is used

HTTPS Transactions of SAP EHS Management Workflow Tools

Frontend client using SAP GUI for Windows in NetWeaver Business Client to SAP EHS Management application server

DIAG Transactions of SAP EHS Management Workflow Tools

NetWeaver Business Client to BI System

HTTPS BI queries

Web Browser to BI System HTTPS BI queries

Adobe Flash Player to BI system

HTTPS BI dashboards

Forms Processing uses Adobe Document Service

HTTPS to Adobe Document Service

XML content of the forms Standard ADS setup required

E-mail Inbound Handling SMTP Inbound e-mail with interactive form as attachment

Standard setup for inbound e-mail

E-mail Outbound Processing (Standard Business Communication Service [BCS] used)

Outbound e-mail with interactive form as attachment

Standard setup for BCS

RFC Connection to IMDS System

RFC IMDS Data, MDS Files, Request Files, result Files

SAP Product Stewardship Network – integration of an on demand solution for product compliance

Web Service Consumption based on SOAP

Compliance data from SAP Product Stewardship Network

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.

RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.

Security Guide for SAP EHS ManagementNetwork and Communication Security C U S T O M E R 43

Caution1. We recommend using the same protocol – either HTTP or HTTPS – consistently in all communication

channels. This means all the deployed objects have to be configured in exactly the same way regarding HTTP(S) throughout. This is done especially to avoid problems caused by JavaScript-based communication between the single layers.

2. We strongly recommend using the protocol HTTPS instead of HTTP on the communication channels to protect the transferred data against unauthorized access.

3. We strongly recommend activating Secure Network Communication (SNC) for the non-HTTP communication channels to protect the transferred data against unauthorized access.

For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security Guide on SAP Help Portal at http://help.sap.com/nw.

7.2.1 Secure Offline Communication with SAP Interactive Forms by Adobe

The inquiry forms used in incident management can contain sensitive and confidential data. These forms are sent via e-mail, for example, to an external party (such as a doctor or expert) that is unknown within the system and has no system account. To protect this data from unauthorized users, encryption becomes necessary. The data to be encrypted is the e-mail text, the PDF data, or both.

If you do not already use an encryption function, you can configure SAPconnect to send e-mails via a secure e-mail gateway application that is capable of encrypting outbound and inbound e-mails. For more information, see SAP Help Portal for SAP NetWeaver under SAP NetWeaver 7.0 (2004s) SAP NetWeaver Library Administrator’s Guide Technical Operations Manual for SAP NetWeaver Administration of SAP NetWeaver Systems AS ABAP (Application Server for ABAP) Administration SAPconnect Communication Interface . Note that in SAPconnect Communication Interface under More Information, you can find general information about SAPconnect.

SAP EHS Management is not delivered with third-party components.

7.3 Network Security

SAP EHS Management is designed to run in the LAN network segment by default. Running SAP EHS Management in multiple network segments is supported with the options provided by SAP NetWeaver AS ABAP and SAP NetWeaver AS Java.

SAP EHS Management strictly uses the default services and ports of SAP NetWeaver AS ABAP and SAP NetWeaver AS Java for the communication channels. For more information about the services and ports used by SAP NetWeaver, see the topics in the SAP Help Portal under Technology → SAP NetWeaver Platform → 7.0 EHP3 in the SAP NetWeaver Security Guide.


http://help.sap.com/nw

http://help.sap.com/netweaver

http://help.sap.com/nw_platform

http://help.sap.com/nw703

SAP EHS Management requires the Adobe Document Service (ADS) and e-mail processing. There are no further requirements for the default setup.

7.4 Ports

SAP EHS Management runs on SAP NetWeaver and uses the ports from the AS ABAP or AS Java. For more information, see SAP Help Portal, the topics under SAP NetWeaver Platform→7.0 EHP3for AS ABAP Ports [SAP Library] and AS Java Ports [SAP Library] in the corresponding SAP NetWeaver Security Guides. For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which is located on SAP Developer Network at http://scn.sap.com/community/security

under Infrastructure Security Network and Communications Security .

7.5 Communication Destinations

The table below shows an overview of the communication destinations used by SAP EHS Management.

Connection Destinations

Destination Delivered Type User, Authorizations Description

<HR system> No RFC HR authorizations of all standard SAP EHS Management user roles

Connection to HR client

<PM system> No RFC PM authorizations of all standard SAP EHS Management user roles

Connection to PM client

<CS system> No RFC CS authorizations of all standard SAP EHS Management user roles

Connection to CS client

<QM system> No RFC QM authorizations of all standard SAP EHS Management user roles

Connection to QM client

<BuPa system> No RFC BuPa authorizations of all standard SAP EHS Management user roles

Connection to business partner client

<AC system> No RFC AC authorizations of all standard SAP EHS Management user roles

Connection to AC client

<GRC system> No RFC SAP EHS Management does not provide GRC authorizations

Connection to GRC client

Security Guide for SAP EHS ManagementNetwork and Communication Security C U S T O M E R 45

http://help.sap.com/nw_platform


https://help.sap.com/





Destination Delivered Type User, Authorizations Description

<MOC system> No RFC

(3, H)

SAP EHS Management does not provide MOC authorizations

Connection to MOC client

(ABAP/3- and HTTP/H-Connection)

<EHS system> No RFC SAP EHS Management provides authorization proposals for Occupational Health in SAP EHS Management as part of SAP ERP.

Connection to client for SAP EHS Management as part of SAP ERP

For more information about GRC authorizations, see the SAP BusinessObjects Governance, Risk, and Compliance (GRC) Security Guide.

For detailed information about communication destinations, see Customizing for SAP EHS Management under Foundation for EHS Management Integration Specify Destinations for Integration .

For communication details, see also the SAP Interactive Forms Solution Security Guides and the standard setup of SAP Business Workflow.


8 Internet Communication Framework Security for Health and Safety

You should only activate those services that are needed for the applications running in your system.

Use the transaction SICF to activate these services.

● For the services that are relevant for the back-end system of Component extension 6.0 for SAP Environment, Health, and Safety Management, see the SAP Note 2133413 .

● For the services that are relevant for the front-end system of Component extension 6.0 for SAP Environment, Health, and Safety Management, activate the following UI5 services under /default_host/sap/bc/ui5_ui5/sap/:○ ehs_ctl_inspect (Inspect Safety Controls)○ ehs_safety_info (Retrieve Safety Information)○ repincidentsoh (Report Incident)

These apps are delivered with SAP Fiori 2.0 for SAP EHS Management.

If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings accordingly.

For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library on SAP Help Portal at http://help.sap.com/nw75.

For more information about ICF security, see the RFC/ICF Security Guide in the SAP NetWeaver Library on SAP Help Portal at http://help.sap.com/nw75.

Security Guide for SAP EHS ManagementInternet Communication Framework Security for Health and Safety C U S T O M E R 47

http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/2133413



9 Data Storage Security

SAP EHS Management does not store any data itself beyond the data that is stored by the infrastructure used on SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java.

The data storage security of SAP NetWeaver and components installed on that base is described in the SAP NetWeaver 7.0 Security Guide.

All business data in SAP EHS Management is stored in the system database. This business data is protected by the authorization concept of SAP NetWeaver and SAP EHS Management. In some special cases, business-relevant data is stored in another location such as a file system. The special cases are listed below:

Whitelists

Depending on the technology you are using, you may encounter security issues when trying to display links that are not explicitly added to the whitelist. For more information about defining whitelist entries, see the SAP NetWeaver documentation at help.sap.com → SAP NetWeaver Business Client 7 Security Aspects 7.8 Whitelist .

XML-Export Interface for Non-BW Analytics

The XML-Export Interface for non-BW Analytics exports XML data to the application server on the following logical directory/file name:

XML-Export Interface

Component Logical Directory/File Name

Incident Management EHHSS_BO_XML_EXPORT_PATH / EHHSS_INCIDENTS_XML

You can set the physical location using transaction FILE. The exported XML file can be downloaded from the application server. The directories used for the export on the application server and for the file download need to be protected against unauthorized third-party access, since the export file may contain person-related or otherwise confidential information.

Knowledge Management

SAP EHS Management uses standard SAP NetWeaver technology for uploading and downloading documents (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). These documents are checked into the defined storage system (content repository) using the Knowledge Provider (KPro).

For more information about security with regards to Knowledge Management, see SAP Knowledge Management Security Guides


Data Storage Security

http://help.sap.com

http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/790e408230c442e10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/790e408230c442e10000000a1550b0/frameset.htm

10 Data Protection

10.1 Introduction

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP EHS Management provides to support compliance with the relevant legal requirements and data privacy.

NoteIn SAP EHS Management, you can enter any data in free text fields and you can upload attachment containing personal data. Free text fields are meant for entering comments, recommendation or any other business-related information. They are not meant to contain any personal data and, therefore, are not considered in any recording, logging, blocking, or deletion which can be performed for fields containing personal data.

This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.

10.2 Glossary

Relevant Terms for Data Protection and Privacy

Term Definition

Blocking A method of restricting access to data for which the primary business purpose has ended.

Security Guide for SAP EHS ManagementData Protection C U S T O M E R 49

Term Definition

Consent The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent.

Deletion The irreversible destruction of personal data.

End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization (for example, tax auditors).

Personal data Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person

Purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.

Residence period The period of time between the end of business and the end of purpose (EoP) for a data set during which the data remains in the database and can be used in case of subsequent processes related to the original purpose. At the end of the longest configured residence period, the data is blocked or deleted. The residence period is part of the overall retention period.

Retention period The period of time between the end of the last business activity involving a specific object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period.


Data Protection

Term Definition

Sensitive personal data A category of personal data that usually includes the following type of information:

● Special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation, or personal data concerning bank and credit accounts.

● Personal data subject to professional secrecy● Personal data relating to criminal or administrative of

fenses● Personal data concerning insurances and bank or credit

card accounts

Where-used check (WUC) A process designed to ensure data integrity in the case of potential blocking of business partner data. An application's where-used check (WUC) determines if there is any dependent data for a certain business partner in the database. If dependent data exists, this means the data is still required for business activities. Therefore, the blocking of business partners referenced in the data is prevented.

10.3 Technical and Organizational Measures to Ensure Data Protraction

Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs in the component extension 6.0 for SAP EHS Management:

● Access control: Authentication features as described in section User Administration and Authentication.● Authorizations: Authorization concept as described in section Authorizations● Communication security: as described in section Network and Communication Security● Availability controls as described in:

○ Section Data Storage Security○ SAP NetWeaver Database Administration documentation

○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented View Solution Life Cycle Management SAP Business Continuity

● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept.


CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.

10.4 Deletion of Personal Data

In the handling personal data, it is necessary to comply with general data protection regulation and industry-specific legislation in different countries. A typical requirement in certain countries and regulations is that personal data shall no longer be handled after the specified, explicit, and legitimate purpose of the processing of personal data has ended. Data that has reached its end of purpose (EoP) must be deleted if no other retention periods are specified in legislation, such as retention periods for occupational health documents. If there are legal requirements to retain personal data after the end of purpose, this data needs to be blocked. Blocked data is retained in the database, but only persons with special authorizations can view it.

To enable complex scenarios, SAP simplifies the existing deletion functionality to cover data objects that are personal data by default. For this purpose, SAP uses SAP Information Lifecycle Management (ILM) to help you set up a compliant information lifecycle management process in an efficient and flexible manner. The SAP Information Lifecycle Management component supports the entire software lifecycle, including the storage, retention, blocking, and deletion of data.

All applications register either an EoP check in the Customizing settings for the blocking and deletion of application data, such as the customer and vendor master or the business partner, or a where-used check (WUC). Component extension for SAP EHS Management delivers end of purpose (EoP) checks and uses SAP ILM to support the deletion of personal data as described in the following sections.

Application Objects and Available Deletion Functionality

The following tables list the relevant application objects and the available deletion functionality for Incident Management, Risk Assessment, and Environment Management.

For more information about application objects and deletion functionality in component extension for SAP EHS Management, see the product assistance on the SAP Help Portal at http://help.sap.com/ehs-com. Open the Application Help and go to:

● Incident Management Technical Solution Information Data Archiving in Incident Management

● Risk Assessment Technical Solution Information Data Archiving in Risk Assessment

● Environment Management Technical Solution Information Data Archiving in Environment Management

● Product Compliance Technical Information Data Archiving in Product Compliance


Data Protection


Application Objects and Available Deletion Functionality in Incident Management

Application Objects Provided Deletion Functionality

Incidents Archiving object EHHSS_INC

Incident Summary Reports Archiving object EHHSS_ISR

Application Objects and Available Deletion Functionality in Risk Assessment


Risk Revisions Archiving object EHHSS_RSV

Risks Archiving object EHHSS_RSK

Risk Assessments Archiving object EHHSS_RAS

Safety Instructions Archiving object EHHSS_SI

Control Evaluations Archiving object EHHSS_CEVL

Control Inspections Archiving object EHHSS_CINS

Control Replacements Archiving object EHHSS_CRPL

Sampling Campaigns Archiving object EHHSS_SPLC

Samplings Archiving object EHFND_SPLG

Chemical Approvals Archiving object EHFND_CHA

Assignment of Person to Locations Archiving object EHFND_LOCP

Assignment of Person to Jobs Archiving object EHFND_JOBP

Sampled Persons Data destruction object EHFND_SPLP

Application Objects and Available Deletion Functionality in Environment Management


Compliance Scenario Actions Archiving object EHENV_SAC

Application Objects and Available Deletion Functionality in Product Compliance


Worklists for compliance assessment Archiving object EHPRC_WLCA

Worklists for regulatory changes Archiving object EHPRC_WLRC

Intenational Material Data Sheets (IMDS) Archiving object EHPRC_MDS

Compliance data records Archiving object EHPRC_COD



Campaigns Archiving object EHPRC_CMP

E-mail assignments Archiving object EHPRC_PSA

Assessments and BOM transfers Archiving object EHPRC_PBB

Deletion Report and Job Dependencies

Product Compliance provides the deletion report R_EHPRC_DPP_CLEANUP which verifies if any CDOs that are marked as end of business are used in any composition or supplier listing. If this is the case, it changes the lifecycle status to active which prevents the CDO from being archived.

End of Purpose (EoP) Check

An end of purpose check determines whether data is still relevant for business activities based on the retention period defined for the data. The retention period of data consists of the following phases:

● Phase one: The relevant data is actively used.● Phase two: The relevant data is actively available in the system.● Phase three: The relevant data needs to be retained for other reasons.

The following end of purpose checks are available for component extension for SAP EHS Management:

End of Purpose Checks in Incident Management

Application End of Purpose Check Further Information

Incident Management (EHS_INC) EHHSS_INC_EOP_CHECK_BP The check determines whether the business partner is used in:

● Incidents● Tasks in incidents

End of Purpose Checks in Risk Assessment


Health and Safety (EHS_HS) EHHSS_HS_EOP_CHECK_BP The check determines whether the business partner is used in:

● Risk assessments● Tasks in risk assessments● Risks● Control inspections● Control evaluations● Control replacements


Data Protection


Health and Safety (EHS_HS_EXPOSURE)

EHHSS_EXP_EOP_CHECK_BP The check determines whether the business partner is assigned to:

● Job positions● Location positions● Samplings as sampled person

End of Purpose Checks in Environment Management


Environment Management (EHS_ENV) EHENV_EOP_CHECK_BP The check determines whether the business partner is used in tasks of category Action.

End of Purpose Checks in Product Compliance

Application Name End of Purpose Check Further Information

EHSM_PRC CL_EHPRC_CUSTOMER_EOP_CHECK The check determines whether the customer is used in campaigns.

CL_EHPRC_VENDOR_EOP_CHECK The check determines whether the supplier is used in:

● Campaigns● Supplier parts (CDOs)● Supplier responses

You register the application for an end of purpose check in Customizing under Cross-Application ComponentsData Protection Blocking and Unblocking of Data Business Partner Define and Store Application Names for EoP Check .

Configuration of Data Protection Functions

Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.

You configure the settings related to the blocking and deletion of business partner master data in Customizing under Cross-Application Components Data Protection Blocking and Unblocking of Data Business Partner .


10.5 Read Access Logging of Personal Data

Legislation requires logging of read and write access of person-related sensitive data.

You can use the Read Access Logging (RAL) component to monitor, to log, and to update read access to person-related sensitive data, and to provide information such as which business users accessed person-related sensitive data (for example, fields related to bank account data), and when they did so.

In RAL, you can configure which person-related sensitive data you want to log and how to log it.

SAP delivers sample configurations for applications. You can display the configurations in the system by performing the following steps:

1. In the Read Access Logging Manager (transaction SRALMANAGER), on the Administration tab page, choose Configuration.

2. Choose the desired channel, for example, WebDynpro.3. Choose Search.

○ The system displays the available configurations for the selected channel.4. Choose Display Configuration for detailed information on the configuration.

Note

For a list of the delivered log domains, see the product assistance at SAP Help Portal under http://help.sap.com/erp. Open the Application Help and go to SAP ERP Cross-Application Functions Cross-Application Components

Data Protection Security Safeguards Regarding Data Protection Read Access Logging (RAL) .

Prerequisites

Before you can use the delivered RAL configurations, the following prerequisites are met:

● You have checked the required particular kernel and SAP GUI version that are described in 1969086 .● The RAL configurations have been activated.● You have enabled RAL in each system client.

More Information

For more information, see Read Access Logging (RAL) in the documentation for SAP NetWeaver on SAP Help Portal at http://help.sap.com/netweaver. Choose an SAP NetWeaver platform and open the function-oriented view of the application help. You can find the documentation about read access logging under Security System Security System Security for SAP NetWeaver Application Server ABAP Only Read Access Logging .

For up-to-date information on the delivered RAL configurations, see 2347271 .

For more information on delivered log conditions in component extension 6.0 of SAP EHS Management, see the following chapter of this Security Guide.

10.5.1 Read Access Logging for Incident Management

Incident Management logs data of illnesses or injuries that are maintained in the Edit Incident screen (web dynpro application EHHSS_INC_REC_OIF_V3). Since this information is potentially sensitive and access to this


Data Protection

http://help.sap.com/erp

http://help.sap.com/erp


http://help.sap.com/disclaimer?site=http://help.sap.com/netweaver


information is in some cases legally regulated, you can use RAL to log the date when the data was accessed and by whom.

In the following configurations, the following fields are logged:

Fields for Read Access Logging

Configuration Fields Logged Business Context

Involved Person - Basic Information <concatenate name>

● Injured Person Name● Phone Number● Email

Role(s)

Incident Type

Privacy Case

Injured on Site

Injured on Duty

Additional Criteria

Fatality

Location of Death

Cause of Death

Statement of Involved Person

Logs basic information of the person who is involved in the incident,

Involved Person - Injury-Illness Information

<concatenate name>


Classification

Injury/Illness Type

Injury/Illness Description

Body Part

Body Part Description

Body Side

Logs information on the injuries or the illness of the person who is involved in the incident.


Configuration Fields Logged Business Context

Involved Person - Treatment Information <concatenate name>


First Physician

Further Treatment Provider

Treatment Beyond First Aid

Emergency Room

Inpatient Overnight

Unconsciousness

Immediate Resuscitation

Comment

To First Aid

To Further Treatment

Logs information on the treatment of the person who is involved in the incident.

Involved Person - Reports and

Documents

<concatenate name>


File Name (of report forms)

File Name (of documents)

Logs the files of reports and documents that are assigned to the involved person.

Incident - Reports and Documents File Name (of report forms)

Reference (Report forms of person references)

File Name (of documents)

Reference (documents of person references)

Logs the files of reports and documents that are assigned to the incident.

10.6 Change Logging

Personal data may be subject to changes. If these changes are logged, you can check which employee made which change and when. Component extension for SAP EHS Management generates change documents for changes in specific fields of the relevant objects that contain personal data.

Under Display Change Document Objects (transaction SCDO), you can find the delivered change document objects. (EHS change document objects start with EH*.) Under Maintain Logging Setting (transaction S_AUT01), you can specify the fields to be logged.


Data Protection

For objects for which you activated the change logging, you can access the change documents by choosing the relevant entry from the You can also link. You can enter parameters to limit the changes that are displayed. To view change documents, you need the authorization object EHFND_CHDC. In addition, under Evaluate New Audit Trail (transaction S_AUT10) in Enhancement Mode, you can display all changes for the change document objects in SAP EHS Management.

More Information

● For more information about the use of change documents in component extension for SAP EHS Management, see the Product Assistance documentation on the SAP Help Portal at http://help.sap.com/ehs-comp. Select your release, open the Product Assistance, and go to Foundation for EHS Management (EHS-MGM-FND)Technical Solution Information Creation of Change Documents .

● For more technical information about logging changes, see the SAP NetWeaver documentation on the SAP Help Portal at http://help.sap.com/nw. Select your release, and in the Application Help section, open the SAP NetWeaver Library: Function-Oriented View. Go to Other Services Audit Trail (BC-SRV-ASF-AT) Changing Table and Data Element Logging .

● For more information about change documents, see the SAP NetWeaver documentation on the SAP Help Portal at http://help.sap.com/nw. Select your release, and in the Security section, open the SAP NetWeaver Security Guide. Go to Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security GuideAuditing and Logging Logging of Specific Activities Logging Using Change Documents .


http://help.sap.com/ehs-comp



11 Security for Additional Applications

For security information about Adobe Flash Player used by the BI dashboards, refer to the SAP NetWeaver Business Warehouse Security Guide.

For security information about the Embedded Search used by SAP EHS Management, refer to the SAP NetWeaver Enterprise Search 7.2 Security Guide.


Security for Additional Applications

12 Dispensable Functions with Impacts on Security

SAP EHS Management can be integrated with HR Time Management in Customizing. If the personnel time management (PT) integration is activated, time data (including absences) from HR is displayed in the incident. An additional option is available to directly create HR Absences from the incident. For all actions (such as read or create), HR authorizations are checked.

Security Guide for SAP EHS ManagementDispensable Functions with Impacts on Security C U S T O M E R 61

13 Other Security-Relevant Information

13.1 SAP NetWeaver Business Client as User Front End

For more information about SAP NetWeaver Business Client (SAP NWBC) with PFCG connection, see the SAP NetWeaver documentation on SAP Help Portal at http://help.sap.com/nw74. Go to section Application Help and open the documentation for UI Technologies in SAP NetWeaver. Go to SAP NetWeaver Business Client SAP NetWeaver Business Client Administration Guide Security Aspects .

13.2 Documents (Including Virus Scanner)

SAP EHS Management uses standard SAP NetWeaver technology for uploading and downloading documents (such as Web Dynpro ABAP controls or Internet Communication Framework (ICF) services). These documents are checked into the defined storage system (content repository) using the Knowledge Provider (KPro).

Using the standard NetWeaver technology, you can use the standard NetWeaver virus scan interface (VSI) to check documents (including attachments) for viruses. To do this, you must have installed and configured a virus scanner. It is highly recommended that you integrate a virus scanner. For more information, see http://help.sap.com/saphelp_nw74/helpdata

13.3 Forms and E-Mails Containing Java Script

The Interactive forms of SAP EHS Management can contain Java Script. Therefore, Java Script must be enabled in Adobe Acrobat Reader.

In addition, e-mails with PDF attachments that contain Java Script must not be filtered out in the e-mail inbound and outbound process.

13.4 Security Settings for the Report Incident App

You use the mobile service for SAP Fiori to implement the app Report Incident. For more information on the security settings of the mobile service for SAP Fiori, see the SAP Help Portal at http://help.sap.com. There, search for SAP Cloud Platform, mobile service for SAP Fiori User Guide.


Other Security-Relevant Information

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw74

http://help.sap.com/saphelp_nw74/helpdata/en/4e/2606c3c61920cee10000000a42189c/content.htm?frameset=/en/4e/2606bdc61920cee10000000a42189c/frameset.htm

http://help.sap.com/saphelp_nw74/helpdata/en/4e/2606c3c61920cee10000000a42189c/content.htm?frameset=/en/4e/2606bdc61920cee10000000a42189c/frameset.htm

http://help.sap.com

14 Security-Relevant Logging and Tracing

SAP EHS Management uses all logging and tracing functionality provided by the SAP NetWeaver AS ABAP and AS Java. Refer to the NetWeaver Security Audit and Logging documentation at http://help.sap.com/saphelp_nw74/helpdata.

The inbound e-mail process logs the data in the application log. For more information about the object and sub-object, see Customizing for SAP EHS Management under Incident Management Print Forms and Interactive Forms Define Inbound Processing for E-Mails .

Security Guide for SAP EHS ManagementSecurity-Relevant Logging and Tracing C U S T O M E R 63

http://help.sap.com/saphelp_nw74/helpdata/de/8e/a8b5386f64b555e10000009b38f8cf/frameset.htm?

http://help.sap.com/saphelp_nw74/helpdata/de/8e/a8b5386f64b555e10000009b38f8cf/frameset.htm?

15 Services for Security Lifecycle Management

15.1 Introduction

The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.

15.2 Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:

● Whether SAP Security Notes have been identified as missing on your system.In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.

● Whether an accumulation of critical basis authorizations has been identified.In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.

● Whether standard users with default passwords have been identified on your system.In this case, change the corresponding passwords to non-default values.

15.3 Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including:

● Critical authorizations in detail● Security-relevant configuration parameters● Critical users● Missing security patches

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.


Services for Security Lifecycle Management

15.4 Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliance with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords.

15.5 Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

15.6 More Information

For more information about these services, see:

● EarlyWatch Alert: http://support.sap.com/support-programs-services/services/earlywatch-alert.html● Security Optimization Service / Security Notes Report: https://support.sap.com/support-programs-services/

services/security-optimization-services● Comprehensive list of Security Notes: http://support.sap.com/securitynotes● Configuration Validation, E2E Standard for Change Control Management: https://support.sap.com/support-

programs-services/methodologies/support-standards● RunSAP Roadmap .

Security Guide for SAP EHS ManagementServices for Security Lifecycle Management C U S T O M E R 65

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fservices%2Fearlywatch-alert.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fservices%2Fsecurity-optimization-services.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fservices%2Fsecurity-optimization-services.html

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fmethodologies%2Fsupport-standards.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fsupport.sap.com%2Fsupport-programs-services%2Fmethodologies%2Fsupport-standards.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fwebsmp206.sap-ag.de%2F~sapidb%2F011000358700000065942008E

Important Disclaimers and Legal Information

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: https://help.sap.com/viewer/disclaimer).


Important Disclaimers and Legal Information

https://help.sap.com/viewer/disclaimer

Security Guide for SAP EHS ManagementImportant Disclaimers and Legal Information C U S T O M E R 67

go.sap.com/registration/contact.html

© 2018 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see https://www.sap.com/corporate/en/legal/copyright.html for additional trademark information and notices.

https://go.sap.com/registration/contact.html

https://go.sap.com/registration/contact.html

https://www.sap.com/corporate/en/legal/copyright.html