security guide sap solution manager

SAP Solution Manager 4.00 Security Guide

Vers ion 1 .1 31.03.2006

HE

LP

.NW

SE

CG

UID

E

SAP Online Help 16.05.2006

Security Guide Template Version 1.1 2

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.



Introduction ............................................................................................................................ 5 Before You Start .................................................................................................................... 6 Technical System Landscape................................................................................................ 7 User Administration and Authentication................................................................................. 9

User Management.............................................................................................................. 9 Integration into Single Sign-On Environments ................................................................. 10

Authorizations ...................................................................................................................... 12 Network and Communication Security................................................................................. 14

Communication Destinations............................................................................................ 15 Data Storage Security.......................................................................................................... 17 Dispensable Functions with Impacts on Security ................................................................ 17 Other Security-Relevant Information ................................................................................... 17 Trace and Log Files ............................................................................................................. 18



Introduction

This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.

Target Audience • Technology consultants

• System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the Solution Manager.To assist you in securing the Solution Manager, we provide this Security Guide.

About this Document The Security Guide provides an overview of the security-relevant information that applies to the Solution Manager.

Overview of the Main Sections

The Security Guide comprises the following main sections:

• Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

• Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the Solution Manager.

• User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

� Recommended tools to use for user management.

� Standard users that are delivered with the Solution Manager.

� Overview of the user synchronization strategy, if several components or products are involved.



� Overview of how integration into Single Sign-On environments is possible.

• Authorizations

This section provides an overview of the authorization concept that applies to the Solution Manager.

• Trace and Log Files

This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur.

Before You Start

Fundamental Security Guides The Solution Manager is built on mySAP Customer Relation Management 2005 and SAP NetWeaver 2004s. Therefore, the corresponding Security Guides also apply to the Solution Manager. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

For a complete list of the available SAP Security Guides, see the Quick Link securityguide on the SAP Service Marketplace.

Additional Information For more information about specific topics, see the Quick Links as shown in the table below.

Quick Links to Additional Information

Content Quick Link on the SAP Service Marketplace

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Network security service.sap.com/network

service.sap.com/securityguide

Technical infrastructure service.sap.com/ti

SAP Solution Manager service.sap.com/solutionmanager

1.1



Technical System Landscape

Use The figure below shows an overview of the main communication paths in Solution Manager.

For more information about the technical system landscape, see the resources listed in the table below.

More Information About the Technical System Landscape

Topic Guide/Tool Quick Link to the SAP Service Marketplace

Technical description for the Solution Manager

Master Guide service.sap.com/instguides

or:

alias: solutionmanager � Installation Guides

Security service.sap.com/security

Solution Manager is running on a SAP CRM-5.0 Server. Solution Manager is working with the ABAP and the Java (Solution Manager Diagnostics only) stack. No other external component is necessary.

SAP GUI is necessary to use the Solution Manager.



Communication with other systems is working via RFC technology and via Web Services.

SAP Solution M77anager should have a RFC connection to SAP OSS for getting and sending data.

More information can be found in the Configuration Guide for Solution Manager.

The SAP Solution Manager supports the following scenarios:

Service Desk and Issue Tracking The Service Desk allows you to create support messages, send them to SAP, and receive replies from SAP. Issue tracking provides follow-up functionality for the Support Desk. There is the possibility to connect Third Party Service Desks via Web Services.

Service Connnections This functionality allows you to set up service connections to SAP for the systems in your solution, using assistants. You can open a service connection for a specified time, so that SAP support staff can logon to your system.

Implementation and Distribution The Implementation and Distribution scenario is for the implementation of customer projects.

This scenario includes an implementation roadmap, an editor for creating and maintaining business blueprints, access to the Implementation Guides (IMG), and tools for testing, monitoring and distributing Customizing.

Solution Monitoring The Solution Monitoring scenario provides support for functionality such as SAP service delivery, Service-Level Reporting, EarlyWatch Alert, as well as user-defined alerts.

The monitoring functionality allows you to:

• Monitor the state of multiple solution landscapes.

The SAP Solution Manager can be used to monitor the satellite systems in a landscape, as well as all the business processes running on them.

• Communicate with SAP Support Back Office.

The SAP Solution Manager has a connection to the SAPNet R/3 Frontend and the SAP Service Marketplace. Note that the SAP Solution Manager uses Internet Explorer to display items from the SAP Service Marketplace on the user's desktop; that is, the SAP Solution Manager does not connect directly to the SAP Service Marketplace.

• Document an entire solution landscape in one central system.

Change Request Management Currently, the Change Request Management scenario consists of a workflow for implementing urgent corrections. This workflow is the result of an integration between the Service Desk and SAP Change Manager. (Other workflow types are planned for a later version of the scenario). The workflow starts with the occurrence of an error. This error is reported to the Service Desk. If the error is serious enough to warrant the immediate implementation of a correction (urgent correction), a change request is created. This request is then approved, which results in the creation of a change document. The change document then passes through certain phases:

• Developing a correction

• Testing the correction

• Importing the correction into the production system



Solution Manager Diagnostics SAP Solution Manager Diagnostics provides root cause analysis of incidents in customer solutions powered by SAP NetWeaver. It provides a read access to traces and configuration settings of SAP NetWeaver components.

User Administration and Authentication The Solution Manager uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP Web Application Server ABAP. If you use the Solution Manager Diagnostics, the user management and authentication mechanisms provided with the SAP Web Application Server Java are used too. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and the SAP NetWeaver Application Server Java Security Guide (see SAP Library) also apply to the Solution Manager.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the Solution Manager in the following topics:

• User Management []

This topic lists the tools to use for user management and the standard users that are delivered with the Solution Manager.

• Integration Into Single Sign-On Environments [Page 10]

This topic describes how the Solution Manager supports Single Sign-On mechanisms.

User Management

Use User management for the Solution Manager uses the mechanisms provided by the SAP NetWeaver Application Server ABAP and Java, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for the Solution Manager, see the sections below. In addition, we provide a list of the standard users required for operating the Solution Manager. As the mechanisms provided by the SAP NetWeaver Application Server Java only apply for Solution Manager Diagnostics consult the correspoding Security Guide for that scenario.

User Administration Tools The table below shows the tools to use for user management and user administration with the Solution Manager.

User Management Tools

Tool Detailed Description

SU01 For more information see Users and Roles (BC-SEC-USR)

PFCG For more information, see User Management Engine.



Standard Users The table below shows the standard users that are necessary for operating the Solution Manager.

Logon User (Password)

Use How Created

OSS_RFC (CPIC)

Notes Assistant Maintain technical settings in transaction “OSS1”

S-User (Customer-specific)

• Exchange problem messages with SAP

• Retrieve information which messages have been changed at SAP

• Opening of service connections

• Download of SAP HotNews

• Sending solution data to SAP

• Sending Top Issues to SAP

• Exchange of service plans with SAP

Assisted by SAP Solution Manager in Global Settings

Default user: SOLMAN<SID><Client> (will be generated)

for read access Scenarios: Solution Monitoring and Implementation and Distribution

Transaction SMSY

CSMREG (Customer-specific)

For data collection (to get CCMS alerts)

Only required if SMSY is not used to generate RFC destinations

During System Monitoring Setup

OSS_RFC (CPIC)

Update Service Definitions Created automatically by Transaction SDCCN → copy of SAPOSS

OSS_RFC (CPIC)

Service Preparation Check (RTCCTOOL)

Created automatically by RTCCTOOL.

→ copy of SAPOSS CSMREG (Customer-specifc)

Business Process Monitoring During Business Process Monitoring Setup

A more detailed description can be found in the Configuration Guide for the SAP Solution Manager.

Integration into Single Sign-On Environments

Use The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration



and authentication as described in the SAP NetWeaver Security Guide (SAP Library) also apply to the SAP Solution Manager.

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SAP Library) in the SAP NetWeaver AS ABAP Security Guide.

SAP logon tickets

The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents viaURLs from outside. In this case, users can be issued a logon ticket after they have authenticated themselves with the Solution Manager System. The ticket can then be submitted to the system as an authentication token each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

You can find more information under SAP Logon Tickets in the SAP NetWeaver AS ABAP Security Guide.



Authorizations

Use The Solution Manager uses the authorization provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to the Solution Manager.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG).

Standard Roles

Service Desk and Issue Tracking

The following roles contain the central authorizations for the Service Desk and Issue Tracking scenario. Theycan be tailored to suit individual projects.

SAP_SUPPDESK_DISPLAY Service Desk display user

SAP_SUPPDESK_CREATE Service Desk message creator

SAP_SUPPDESK_PROCESS Service Desk processor

SAP_SUPPDESK_ADMIN Service Desk administrator

SAP_SV_SOLUTON_MANAGER Issue tracking expert mode (in addition to SAP_SUPPDESK_ADMIN)

SAP_SUPPCF_CREATE Service Desk Corporate Functionality message creator

SAP_SUPPCF_PROCESS Service Desk Corporate Functionality processor

SAP_SUPPCF_ADMIN Service Desk Corporate Functionality Administrator)

Service Connections

The following role contains the authorizations to set up service connections and to open connections to SAP.

SAP_SERVICE_CONNECT Setup and Opening of Service Connections

Implementation and Distribution

The following roles contain the central authorizations which are required for the Implementation and Distribution scenario. They can be tailored to suit individual projects.

SAP_SOL_PM_COMP Project managers are responsible for organizing and planning the project, and monitoring costs and deadlines.

SAP_SOL_AC_COMP Application consultants are responsible for business content and the documentation of operational activities. This collective role has limited authorization and is intended for project members who need to be adjusted individually.

SAP_SOL_BC_COMP Development consultants are responsible for the development of customer-specific programs and authorizations.

SAP_SOL_TC_COMP Technical consultants are responsible for installing systems and providing technical support to users.

SAP_SOL_RO_COMP It contains Solution Manager display/read only.



SAP_SOL_RE_COMP This user can only see versions of documents with a corresponding document status. E.g. End User who should only read the latest released vresion of documents

SAP_RMDEF_RMAUTH_EXE Creating and changig of Roadmaps

SAP_RMDEF_RMAUTH_DIS Display Roadmaps independant on projects

SAP_SOL_LEARNING_MAP_DIS End User of Learning Maps, display only

The roles with naming convention *-COMP are composite roles. The composite roles contain individual roles, which in turn contain authorizations for individual functions, e.g. for the Business Blueprint.

If you are using trusted system destinations, you will need the additional authorization object S_RFCACL. You will also need the authorization object S_RFC. The function groups ‘SCCA‘, ‘SRTT’, ‘SCT1’, ‘PROJECT_ADMINISTRATION’, 'SCTM', and 'SCPRAC' must be assigned to this authorization object. Additionally, you will need the S_TCODE authorization for transaction SCPR3 and SCPR20.

Create or extend a user role containing these authorizations in all systems, including the Solution Manager system.

Not all these authorizations are part of the SAP profile SAP_ALL.

See SAP Note 803142 (Solution Manager Roles for Satellite Systems).

Solution Monitoring

The following roles contain the central authorizations which the Solution Monitoring scenario requires. They can be tailored to suit individual projects.

SAP_SDCCN_DIS Service Data Control Center display SAP_SDCCN_EXE Service Data Control Center maintenance SAP_SDCCN_ALL Service Data Control Center administration

SAP_SETUP_DSWP Full authorization for all sessions in area operations

setup

SAP_SETUP_DSWP_SLR Full authorization for session Service Level Reporting in area operations setup (according to BundleID)

SAP_SETUP_DSWP_SM Full authorization for session System Monitoring in area operations setup (according to BundleID)

SAP_SETUP_DSWP_BPM Full authorization for session Business Process Monitoring in area operations setup (according to BundleID)

SAP_SETUP_DSWP_CSA Full authorization for session Central Service Administration in area operations setup (according to BundleID)

SAP_OP_DSWP Full authorization for all sessions in area operations

SAP_OP_DSWP_SLR Full authorization for session Service Level Reporting in area operations (according to BundleID)

SAP_OP_DSWP_SM Full authorization for session System Monitoring in area operations (according to BundleID)

SAP_OP_DSWP_BPM Full authorization for session Business Process Monitoring in area operations (according to BundleID)

SAP_OP_DSWP_CSA Full authorization for session Central Service Administration in area operations (according to BundleID)

SAP_SV_SOLUTION_MANAGER Administer sessions. It gives also full authorization for all funtionalities in transction SOLUTION_MANAGER



SAP_SV_SOLUTION_MANAGER_DISP Display sessions. It gives also display authorization for all functionalities in transaction SOLUTION_MANAGER

SAP_SOL_REP_DISP Display

SAP_SOL_REP_ADMIN Administration

SAP_SOLMAN_DIRECTORY_ADMIN Administer Data in Solution Directory SAP_SOLMAN_DIRECTORY_EDIT Maintain Data in Solution Directory SAP_SOLMAN_DIRECTORY_DISPLAY Display Data in Solution Directory

Change Request Management

The following roles contain the central authorizations for the Change Request Management scenario:

SAP_CM_CHANGE_MANAGER Change Management Change Manager SAP_CM_DEVELOPER_COMP Change Management Developer SAP_CM_OPERATOR_COMP Change Management IT Operator SAP_CM_PRODUCTION_MANAGER_COMP Change Management Production Manager SAP_SOCM_REQUESTER Change Management Requester SAP_CM_TESTER_COMP Change Management Tester

SAP_CM_ADMINISTRATOR_COMP Administration and technical Maintenance

Solution Manager Diagnostics

The following roles are used in Solution Manager System Landscape Management to integrate Solution Manager Diagnostics. For authorizations of compnent Solution Manager Diagnostics itself, see SAP Solution Manager Diagnostics Security Guide

SAP_SMDIAG_WIZARD Solution Manager Diagnostics Wizard to transfer data

SAP_SMDIAG_TEMPLATE Edit templates for Solution Manager Diagnostics

See also: For more information about role maintenance, see the online documentation or the Configuration Guide for Solution Manager 4.00. Choose Help → Application Help → mySAP Technology Components → SAP Web Application Server → Security → Users and Roles → Role Maintenance.

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.



The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager.

Communication Destinations

Use The table below shows the communication channels used by the Solution Manager, the protocol used for the connection, and the type of data transferred.

Communication Channel Protocol used

Type of Data transferred Data Requiring Special Protection

Solution Manager to OSS RFC • Exchange of Problem messages

• Retrieval of Services

• Opening of Service connections


• Sending of Solution data to SAP

• Sending of Top Issues to SAP

• Exchange of service plans with SAP

Solution Manager to OSS Secure Area

HTTPS Logon data to systems opened for SAP Support

Logon data, passwords

Solution Manager to Satellite Systems

RFC Access Customizing or Monitoring data

Solution Manager to SAP Service Marketplace

HTTPS Search for notes

Solution Manager Support Desk to Third Party Support Desks

HTTP/SOAP

Problem Messages

The table below shows an overview of the communication destinations used by the Solution Manager for RFC communications.

RFC Destination Name

Target Host Name

System Number

Logon Client


Use How Created

SAPOSS /H/SAPROUTER/S/<XX>/sapserv<X>/H/oss001

01 001 OSS_RFC (CPIC)

Notes Assistant Maintain technical settings in transaction “OSS1”

SAP-OSS /H/SAPROUTE

01 001 S-User (Customer-

• Exchange Assisted by SAP Solution Manager




Target Host Name

System Number

Logon Client


Use How Created

R/S/<XX>/sapserv<X>/H/oss001

specific) problem messages with SAP


• Sending Solution data to SAP

• Sending Top Issues to SAP

• Exchange Service Plans with SAP

in Global Settings

SAP-OSS-LIST-O01

/H/SAPROUTER/S/<XX>/sapserv<X>/H/oss001

01 001 S-User (Customer- specific)

Retrieve information which messages have been changed at SAP

Assisted by SAP Solution Manager in Global Settings

SM_<SID>CLNT<client>_LOGIN

Satellite System

Customer-specific

Customer-specific

empty Execute Transactions

Scenarios: Solution Monitoring and Implementation and Distribution

Transaction SMSY

SM_<SID>CLNT<client>_READ

Satellite System

Satellite System-specific

Satellite System specific

Default user: SOLMAN<SID><Client> (will be generated)

for read access Scenarios: Solution Monitoring and Implementation and Distribution

Transaction SMSY

SM_<SID>CLNT<client>_TRUSTED

Satellite System



empty Log on through a trusted connection

Scenarios: Solution Monitoring and Implementation and Distribution

Transaction SMSY

SM_<SID>CLNT<client>_TMW

Satellite System



Default user:

SOLTMW<SID><Client> (will be generated)

for create and release Change Requests: Change Manager

Transaction SMSY

SM_<SID>CLNT<client>_BACK

Solution Manager

Solution Manager specific

Solution Manager specific

Default user

SOLMAN<SID>

for read and send data: Customizing Distribution (read); SDCCN(send

Transaction SMSY




Target Host Name

System Number

Logon Client


Use How Created

data)

SAPNET_RFC /H/SAPROUTER/S/<XX>/sapservX/H/oss001


Update Service Definitions

Created automatically by Transaction SDCC.

→ copy of SAPOSS

SAPNET_RTCC /H/SAPROUTER/S/<XX>/sapservX/H/oss001


Service Preparation Check (RTCCTOOL)

Created automatically by RTCCTOOL.

→ copy of SAPOSS

BPM_LOCAL_<client>

empty empty Client used for Business Process Monitoring

CSMREG

(Customer-specifc)

Business Process Monitoring

During Business Process Monitoring Setup

For Trusted System RFCs To generate Trusted System RFCs user needs the authorization object S_RFCACL, this object is not part of SAP_ALL. Customers has to assign this object to all users who should use trusted systems RFCs.

For more detail see note 128447.

Using SAP router between Solution Manager and satellite system some functionalities have problems with SAP routers e.g:.

BSP Application

RFC which should open a new window (session)

Because these function need a relogin from the satellite system to solution manager, but they did not pass SAP router.

To solve these issues look at note 55162 (Asynchrone RFCs mit Dialog über SAP-Router).

Other Security-Relevant Information

Use Some functions in Solution Manager use JavaScript and/or Active X Control to show data in a browser. If you don’t allow the usage of JavaScript and/or ActiveX Controls you will not be able to use that functionality. Below you find a description of the respective functionalities and what is used by them:

1. Graphical view of Scenarios, Processes and Systems

This graphical view is used in Solution Manager Implemenation (Graphics tab), Solution Directory (Graphics tab) , Business Process and System Monitoring and Solution Manager System Landscape.



It uses Javascript and the ActiveX Control Microsoft® XML Core Services (MSXML) 4.0. Microsoft® XML Core Services (MSXML) 4.0, formerly called Mircosoft XML Parser, allows Internet Explorer to handle XML documents in a more consistent way.

2. Learning Solution

The display of a Learning Map for endusers uses Javascipt to open attached documents and to send feedback.

3. Project Setup Quickstart

The Project Setup Quickstart which allows a guided creation of projects uses Javascript.

Scenario Service Connections is using Web-Dynpro-for-ABAP technology. For security relevant details about this technology see Security Guide “SAP NetWeaver 2004s Security for Development Technologies” chapter “Security Issues in Web Dynpro for ABAP”. Most actions done in the Service Connections and some actions in the Support Desk scenario send and/or receive data to/from SAP Support Portal. In SAP Support Portal there is an authorization check for these activities against an S-user that is assigned to the Solution Manager user. The same check is also done on Solution Manager side. The S-user in SAP Support Portal needs to be assigned to the corresponding Solution Manager User via customizing activity “Assign Contact for Communication with SAP”. This security relevant activity is protected by authorization group ‘AISU’. Only system administrators that may maintain user data should have this authorization.

Trace and Log Files

Use System Landscape

• Update Logs

• RFC Logs

• Data save logs

Solution Manager Implementation

• All Tabs can be traced. Each change on the tab will be recorded. No changes of the assigned object are logged (except documents).

• One can specify which project and tab will be traced.

• Documentation will be versioned by each change.

Solution Manager Operations

Solution Directory

• All tabs can be traced. Each change on tab will be recorded. No changes of the assigned object are logged (except documents).

• One can sepcify which Solution will be traced

• Documentation will be versioned by each change

Service Connections

All security relevant operations such as setting up a service connection for opening a system for SAP are logged in the SAP Support Portal and can be accessed via the system dependant link to SAP Support Portal from within the application. Logons to satellite systems can additionally be logged inside these systems using the “Security



Audit Log” (see Security Guide “SAP NetWeaver 2004s Security Aspects for System Management” Chapter “Auditing and Logging”).

Customizing Distribution

• Each distribution is logged

• Each distributed object is logged

security guide sap solution manager

Documents

host number client

allowing unauthorized access

security guide template

suit individual projects

area operations setup

project setup quickstart

solution manager diagnostics

secure network communications