123741248-SAP-GTS-guide.pdf

Security Guide SAP Global Trade Services 10.1 Target Audience Technical Consultants ■ System Administrators ■

PUBLIC Document version: 1.0 – 2012-06-15

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com

© Copyright 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries al l over the world. All other product and service names mentione d are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP Support Services and may not be modified or altered in any way.

2 /52

PUBLIC

2012-06-15

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com

© Copyright 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries al l over the world. All other product and service names mentione d are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP Support Services and may not be modified or altered in any way.

2 /52

PUBLIC

2012-06-15

Typographic Conventions

Example

Description

Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your ”.

Example Example

Arrows separating the parts of a navigation path, for example, menu options

Example

Emphasized words or expressions

Example

Words or characters that you enter in the system exactly as they appear in the documentation

http://www.sap.com

Textual cross-references to an internet address

/example

Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456

Hyperlink to an SAP Note, for example, SAP Note 123456

Example

■

■

Example

■ ■ ■

EXAMPLE

EXAMPLE

2012-06-15

Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. Cross-references to other documentation or published works Output on the screen following a user action, for example, messages Source code or syntax quoted directly from a program File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE Keys on the keyboard

PUBLIC

3 /52

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document. You can find the latest version on SAP Service Marketplace at: SAP Softwa Software re Downloa Downloadd

SAP Softwa Software re Downloa Downloadd Center

Upgrad Upg radee Gui Guides des - Ent Entry ry by App Applica licatio tionn Gro Group up Servi Se rvices ces

http://service.sap.com/swdc

Installations Install ations and Upgrade Upgradess

Installations Instal lations and

Analyt Ana lytics ics Gove Governa rnance, nce, Ris Risk, k, and Comp Complian liance ce

Global Glob al Tra Trade de

e> Se Secur curit ityy Gu Guid idee .

The following table provides an overview of the most important document changes. Version

Date

Description

1.0

2012-06-15

Public

4 /52

PUBLIC

2012-06-15

Table of Contents

Chapter 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 3

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4

User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.1

User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.2

User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3

Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5

Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 6

Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1

Communication Ch Channel Se Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.2

Networ k Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3

Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 7

Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 8

Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 9

Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . 37

Chapter 10

Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 11

Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 12

Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter A

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

A.1

Additional Related Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2012-06-15

PUBLIC

5 /52

Chapter B

Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

B.1

The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6 /52

PUBLIC

2012-06-15

1

Introduction

1 Introduction

CAUTION

This guide does not replace the administration or operation guides that are available for productive operations. This document is not included as part of the Installation Information, Configuration Guides, or Technical Operation Manuals. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases. Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. Data protection is of particular importance in the area of sanctioned party list (SPL) screening, for example, where sensitive data from Human Capital Management of SAP ERP (SAP ERP HCM) should not be able to be viewed or modified by unauthorized persons. This access to sensitive data can be controlled by the enhanced authorization concept that enables administrators to restrict the authorized users to specifically selected users from one foreign trade organization, for example. The security measures available ensure that the SPL screening results of business partners from “sensitive” countries can only be viewed or modified by employees who are either from the same country or from the same country group User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the business scenarios of SAP Global Trade Services. To assist you in securing the SAP Global Trade Services, we provide this Security Guide. About This Document

The Security Guide provides an overview of the security-relevant information that applies to the SAP Global Trade Services. Since SAP Global Trade Services is based on and runs SAP NetWeaver technology, read the Security Guide for SAP NetWeaver at

http://help.sap.com/nw703

Security Information Security Guide . All

Security Guides published by SAP are available on SAP Service Marketplace at http:// service.sap.com/securityguide

2012-06-15

PUBLIC

7 /52

1

Introduction

The Security Guide for SAP Global Trade Services contains security-relevant information about the following application areas within SAP Global Trade Services ■

Customs Processing

■

Compliance Management

■

Preference Processing

■

Letter of Credit

■

Restitution

■

Electronic Compliance Reporting

This guide is also valid for the export-specific product that is based on SAP Global Trade Services, called SAP Customs Processing for Automated Export Systems (SAP Customs Processing for AES) that is currently available for processing exports using the electronic Cu stoms processes with ATLAS Ausfuhr of the German Customs authorities. Security in the context of these application areas of SAP Global Trade Services comprises the following aspects ■

User authentication

■

Support of Single Sign-On

■

Administration and checking of user authorization to prevent unauthorized access to saved data

■

General access control, including protection of the system against unauthorized external access

■

Safeguarding of data against unauthorized access when business data is being exchanged between SAP Global Trade Services and external systems

In many cases, the required information has already been provided in other Security Guides and in configuration and installation information. In these cases, we have provided a reference to the relevant sections within these guides. Overview of the Main Sections

The Security Guide comprises the following main sections: ■

Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide. ■

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the SAP Global Trade Services. ■

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

■

8 /52

●

Recommended tools to use for user management.

●

User types that are required by the SAP Global Trade Services.

●

Overview of how integration into Single Sign-On environments is possible.

Authorizations

PUBLIC

2012-06-15

1

Introduction

This section provides an overview of the authorization concept that applies to the SAP Global Trade Services. ■

Network and Communication Security

This section provides an overview of the communication paths used by the SAP Global Trade Services and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. ■

Data Storage Security

This section provides an overview of any critical data that is used by the SAP Global Trade Services and the security mechanisms that apply. ■

Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are used with the SAP Global Trade Services. ■

Trace and Log Files

This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur. ■

Appendix

This section provides references to further information. SAP Global Trade Services is based on SAP standard technology of SAP NetWeaver 7.0. This means that only the official precepts of the SAP security strategy are used. The standard tools and mech anisms of the SAP NetWeaver platform are used.

2012-06-15

PUBLIC

9 /52

This page is left blank for documents that are printed on both sides.

2

Before You Start

2 Before You Start

Fundamental Security Guides

The SAP Global Trade Services is an add-on to SAP NetWeaver and its application platform usage types. Therefore, the corresponding Security Guides also apply to the SAP Global Trade Services. Refer to the following specific SAP NetWeaver Security Guides depending on your system landscape as indicated in the table below. All Security Guides can be accessed at Information


Security

Security Guide

Fundamental SAP NetWeaver Security Guides for SAP Global Trade Services Security Guide

Most-Relevant Sections or Specific Restrictions

SAP NetWeaver 7.0 You can use the overall Security Guide for generic topics, for example, including Administration and Authentication or Network and Communication Strategy Enhancement Package 3 Application Server (AS) for ABAP

User

Necessary for general security issues of basis SAP NetWeaver technology for S AP Global Trade Services

Optional SAP NetWeaver Security Guides for SAP Global Trade Services Security Guide According to Usage Types and Specific Topics


Business Intelligence (BI)

Depending upon whether you use BI functions with SAP Global Trade Services for analyzing your processes

Application Server (AS) for Java

When using printing functionality that utilizes the Adobe Document Server (ADS)

SAP Interactive Forms Solution Security Guide

When using print forms in SAP Global Trade Services, for example Customs forms in SAP Customs Management, in addition to the AS for Java For more information, see http://help.sap.com/nw703 Security Information Security Guide Security Guide for SAP NetWeaver According to Usage Types SAP Interactive Forms Based On Adobe Software Security Guide For more information about security-related information for the Adobe Reader, see SAP Note 853497. NOTE

Although SAP Global Trade Services does not use interactive forms, the above-mentioned Security Guide does contain security-related information on topics that are related to

2012-06-15

PUBLIC

11 /52

2

Before You Start

Security Guide According to Usage Types and Specific Topics


setting up standard RFC destinations for communicating with the Adobe Document Server and for printing standard Adobe forms in Customs communication processes.

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at

http://

service.sap.com/securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP Global Trade Services are shown in the table below. Important SAP Notes SAP Note Number

Title

Comment

1501945

Secure Configuration SAP NW

This note contains information about how the NetWeaver platform can be configured securely.

797108

Virus scan interface (VSI): Changes and releases

SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

851789

Virus-scan-profiles delivered by SAP

SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

817623

Integrating a virus scan in SAP applications SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.

853497

Adobe Acrobat Reader creates temporary files

SAP Note about using the Acrobat Reader for displaying Adobe attachments or document previews.

In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service Marketplace at https://service.sap.com/securitynotes. Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

12 /52

PUBLIC

2012-06-15

2

Before You Start

Quick Links to Additional Information Content

Security

Quick Link on the SAP Service Marketplace or SDN

http://sdn.sap.com/irj/sdn/security http://service.sap.com/security

Security Guides

https://service.sap.com/securityguide

Related SAP Notes

https://service.sap.com/notes

Released Platforms

https://service.sap.com/pam https://service.sap.com/platforms

Network Security

https://service.sap.com/securityguide https://ervice.sap.com/network

SAP Solution Manager SAP NetWeaver

2012-06-15

https://service.sap.com/solutionmanager http://sdn.sap.com/irj/sdn/netweaver

PUBLIC

13 /52


3


3 Technical System Landscape

The diagram below shows an overview of the technical system landscape for the software components for running the processes in SAP Global Trade Services.

Figure 1:

Overview of the technical system landscape for running the processes in SAP Global Trade

Services With SAP Global Trade Services, you have an add-on application that receives its data from a feeder system, such as SAP ERP. You can also use non-SAP systems as a feeder system. If you are using an SAP system as your feeder system, then the software components SAP_ABA und SAP_BASIS of SAP NetWeaver ABAP Stack in the feeder system are mandatory together with the plug-in specific to SAP Global Trade Services called SLL_PI 900_* to facilitate communication between the systems. In the system for SAP Global Trade Services, you also need software component SAP_AP in addition to the SAP_ABA and SAP_BASIS. In addition to connecting the feeder systems through the plug-in that communicates with SAP Global Trade Services by Remote Function Calls, you can use interfaces for other system connections. For processing customs procedures, you can use process data from SAP Transportation Management in addition to the logistics data of SAP ERP. The system connection to SAP Transportation Management

2012-06-15

PUBLIC

15 /52

3


is facilitated by SOA services. However, if you are using a non-SAP system, these components are not required. ■

Compliance Management

The Compliance Management area enables you to comply with national and international trade regulations, combining embargo checks, legal import and export controls, and sanctioned party list screening. You can, for example, upload sanctioned party lists in XML file format from thirdparty data providers and screen your business partners against these sanctioned party lists. You can fully integrate the screening process of your feeder system SAP ERP. There you can integrate these checks into your logistics processes of materials management and sales and distribution. You can also choose to integrate sanctioned party list checks into the processes of the finance and human resources modules of SAP ERP as well as the industry solution for financial accounting. ■

Customs Management

The Customs Management area enables you to directly communicate with Customs offices and adhere to the regulations of these national authorities in cross-border trade when placing goods in specific Customs procedures. To facilitate this communication, you need to install converter software. The converter software has its own security guidelines to which you must adhere. This converter software facilitates the mapping of SAP IDocs to EDIFACT messages for the customs offices to read and, in turn, receive EDIFACT messages from, which are then converted to SAP IDocs for SAP Customs Management. The security measures required for communication with third parties in IDoc format are described in the SAP NetWeaver Application Server Security Guides. Communication between the EDI converter and SAP Global Trade Services takes place using standard ALE technology and RFC destinations. For more information about the security measures for this technology, see the SAP NetWeaver Security Guide.

You can print out Adobe forms for customs processes, and to do so you require a connection to the Adobe Document Server. Communication with the Adobe Document Server takes place using standard RFC destinations, and role and user administration. ■

Preference Processing

The Preference Processing area facilitates traders in indicating their goods for preferential customs treatment. This involves handling inbound and outbound long-term vendor declarations as well as determining the preferential status of goods based on long-term vendor declarations and/or the preference determination process. The preferential status is based on long-term vendor declarations relevant for goods externally procured. Goods with procurement types for inhouse production and mixed origin because they were partially produced inhouse and procured externally, the preference determination is used in addition for determining the preferential status. The preference determination is based on procedures and rules for Harmonized System codes in preference agreements. Both, the preference agreements and the codes for classifying the products can be uploaded from a third-party data provider.

16 /52

PUBLIC

2012-06-15

3

■


Letter of Credit

The Letter of Credit area enables traders to mitigate financial risks by working with letters of credit in standard inbound and outbound processes. The letters of cr edit ensure that shipping dates and costs, for example, are agreed and assured by both the importer and the exporter and their representing banks. ■

Restitution Handling

The Restitution Handling area enables exporters to apply for export refunds on common agricultural products. This includes managing and monitoring bank securities and export licenses in a legally compliant manner. ■

Electronic Compliance Reporting

The Electronic Compliance Reporting area enables companies within the European Union to create Intrastat declarations for the authorities. In these Intrastat declarations a company can report goods movements with other states or statistical regions of the European Union of which information is required by the statistical authorities of a country. For more information about the technical system landscape, see the resources listed in the table below. More Information About the Technical System Landscape Quick Link to the SAP Service Marketplace or SDN

Topic

Guide/Tool

Technical description for the SAP Global Trade Services and the underlying technological components such as SAP NetWeaver.

Master Guide

High availability

High Availability for SAP Solutions

Technical landscape design

See applicable documents


Installations and Upgrades Installation and Upgrade Guides SAP Solutions for Governance, Risk and Compliance SAP Global Trade Services Installation and Upgrade

http://sdn.sap.com/irj/sdn/ha http://sdn.sap.com/irj/sdn/ landscapedesign

Security

2012-06-15

See applicable documents

PUBLIC

http://service.sap.com/security

17 /52


4


4.1

User Management

4 User Administration and Authentication

The SAP Global Trade Services uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide also apply to the SAP Global Trade Services. For more information, see


SAP NetWeaver According to Usage Type

Security Information Security Guide Security Guide for

SAP NetWeaver Application Server ABAP Security Guide .

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the SAP Global Trade Services in the following topics: ■

User Management This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the SAP Global Trade Services.

■

User Data Synchronization The SAP Global Trade Services shares user data with [list sources]. This topic describes how the user data is synchronized with these other sources.

■

Integration Into Single Sign-On Environments This topic describes how the SAP Global Trade Services supports Single Sign-On mechanisms.

4.1 User Management User management for the SAP Global Trade Services uses the mechanisms provided by the SAP NetWeaver AS ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for the SAP Global Trade Services, see the sections below. User Administration Tools

The table below shows the tools to use for user management and user administration with the SAP Global Trade Services. User Management Tools Tool

Description

User and role maintenance with the AS ABAP (Transactions SU01, PFCG User Management Engine with the AS Java

For more information about See SAP NetWeaver Security Guide. Identity Management, see the following topics of the SAP ERP Central Component Security Guide

2012-06-15

Requirements

PUBLIC

19 /52

4


4.1

User Management

Tool

Description

Requirements

at http://help.sap.com SAP Business Suite SAP ERP SAP ERP Central Component Security Information Security Guide SAP Security Guides SAP ERP SAP ERP Security Guides SAP ERP Central Component Security Guide User Management and Authentication User Administration : User and Role Administration of ■ Application Server ABAP User Management Engine ■ User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types that are required for the SAP Global Trade Services include: ■

Individual users: ●

Dialog users are used for SAP GUI for Windows and are required for individual interactive system access with SAP Global Trade Services

■

Technical users: ●

Service users are used for as dialog user but for larger, anonymous groups of users such as service and support employees.

●

Communication users are used for dialog-free communication for RFC calls. It is required for communication between the feeder system and SAP Global Trade Services as well as between SAP Global Trade Services and the converter technology.

●

Background users are used for starting and monitoring background processing of business transactions.

For more information about these user types, see the SAP NetWeaver Security Guide at help.sap.com/nw703

(English)

SAP NetWeaver 7.0 including Enhancement Package 3

SAP NetWeaver Security Guide

http://

Security Information

Security Guide

Security Guide for SAP NetWeaver According to Usage Type Security

Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide

User Management

User

Types . Standard Users

There are no standard users delivered with SAP Global Trade Services. The system administrator creates the standard dialog users and assigns roles to these users. Template roles are available for user administrators in SAP Global Trade Services. These template roles include, for example, a role for legal control specialist that can be used for export control in the US. The user administrator can use this template role delivered with the system as the basis for creating

20 /52

PUBLIC

2012-06-15

4


4.2

User Data Synchronization

individually-tailored roles for a specific company. This may involve assigning authorizations to the user profile that only allow the user to work with specific document types or legal regulation(s). This is useful in a sensitive environment such as legal controls, where, for example, data protection is of the utmost importance and only specific employees are allowed to access, display or, indeed, change particular data. For more information about these standard users, see the SAP NetWeaver Security Guide at help.sap.com/nw703

(English)

http://

SAP NetWeaver 7.0 including Enhancement Package 3 Security Information Security Guide


Administration and Authentication

SAP NetWeaver Application Server ABAP Security Guide User Protecting Standard Users .

User Management

Password Rules

For more information about SAP NetWeaver password rules, see the SAP NetWeaver Security Guide at http://help.sap.com/nw703

Security Guide (English) Type




Security Guide for SAP NetWeaver According to Usage

Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide

Administration and Authentication

User

User Authentication:

■

Logon and Password Security in the ABAP System

■

Preventing Unauthorized Logons

■

Recognizing and Preventing Multiple Dialog User Logons

■

Authentication Security for SAP Shortcuts

■

Additional Information on User Authentication

4.2 User Data Synchronization With SAP Global Trade Services you can use the options for user data synchronization that are provided by SAP NetWeaver. For more information about the user data synchronization in SAP NetWeaver, see the SAP NetWeaver Security Guide at



Security Guide

Security Guide for SAP

NetWeaver According to Usage Type SAP NetWeaver Application Server ABAP Security Guide

AS ABAP

Authorization Concept Central User Administration

4.3 Integration Into Single Sign-On Environments The application supports the Single Sign-On (SSO) mechanisms that are provided by the SAP NetWeaver AS ABAP and AS Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and SAP NetWeaver Application Server Java Security Guide also apply to the application.

The most widely-used supported mechanisms are listed below.

2012-06-15

PUBLIC

21 /52

4


4.3

Integration Into Single Sign-On Environments

■

Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

■

SAP logon tickets The application supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

■

Client certificates As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information about the available authentication mechanisms, see the SAP NetWeaver Security Guide at Information


Security Guide (English)



Security

Security Guide for SAP NetWeaver According

to Usage Type Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide Administration and Authentication

22 /52

User Authentication

User

Integration in Single Sign-On Environments .

PUBLIC

2012-06-15

5

Authorizations

5 Authorizations

The recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide also apply to the SAP Global Trade Services. For more information about the authorization

concept, see the SAP NetWeaver Security Guide at Security Guide



Security Guide for SAP NetWeaver According to Usage Types SAP NetWeaver Application Server

ABAP Security Guide

SAP Authorization Concept .

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the SAP NetWeaver AS ABAP. Using authorizations you can limit users’ access to the system and therefore protect transactions and programs from unauthorized access NOTE

You must decide which user should have authorization to display, change, or delete critical data. That is, for example, vital for Human Resources data in the sanctioned party list screening for data protection reasons. For more information about the authorization control see SAP Library for SAP Global Trade Services at Application Help

http://help.sap.com/grc

Global Trade Services

Compliance Management Sanctioned Party List Screening .

Standard Roles

The table below shows the standard roles that are used by SAP Global Trade Services. Single Roles for Business Processes Role

Description

/SAPSLL/LEG_ARCH

SAP GTS: Archiving

/SAPSLL/LEG_CM

SAP GTS: Case Management

/SAPSLL/LEG_LCE_APP

SAP GTS: Legal Control - Export: Specialist

/SAPSLL/LEG_LCI_APP

SAP GTS: Legal Control - Import: Specialist

/SAPSLL/LEG_LOC_APP

SAP GTS: Letter of Credit Processing: Specialist

/SAPSLL/LEG_RES_APP

SAP GTS: Restitution Specialist

/SAPSLL/LEG_SPL_APP

SAP GTS: Sanctioned Party List Screening: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_AUD

SAP GTS: Sanctioned Party List Screening: Screener (Auditor) This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_FI_APP

SAP GTS: Sanctioned Party List Screening Financial Accounting: Specialist

2012-06-15

PUBLIC

23 /52

5

Authorizations

Role

Description

This role is relevant for the sanctioned party list screening features for SAP GUI. /SAPSLL/LEG_SPL_FS_APP

SAP GTS: Sanctioned Party List Screening Financial Services: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_HRAPP_APP

SAP GTS: Sanctioned Party List Screening Human Resources/Applicants: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_HREMP_APP

SAP GTS: Sanctioned Party List Screening Human Resources/Employee: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SPL_LO_APP

SAP GTS: Sanctioned Party List Screening Logistics: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.

/SAPSLL/LEG_SYS_COMM

SAP GTS: Basis Administration

/SAPSLL/LEG_RFC

Communication Role for RFC Authorization

/SAPSLL/UIX_LEG_SPL_INFREQUENT

Sanctioned Party List Screening for Infrequent Users This role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_MANAGER

Sanctioned Party List Screening for Compliance Manager This role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_SPECIALIST

Sanctioned Party List Screening for Compliance Specialist This role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_SUPER

Sanctioned Party List Screening for Power User This role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/UIX_LEG_SPL_AUDITOR

Sanctioned Party List Screening for Auditor This role can only be used by the sanctioned party list screening Web-UI.

/SAPSLL/WCR_CU_EXP_SPECIALIST

Export Specialist Customs Management

/SAPSLL/WCR_CU_IMP_SPECIALIST

Import Specialist Customs Management

/SAPSLL/WCR_CU_SCP_SPECIALIST

Specialist for Inventory-Managed Customs Procedures in Customs Management

/SAPSLL/WCR_CU_EMC_SPECIALIST

Specialist for Exise Movement Control in Customs Management

/SAPSLL/WCR_CU_CLS_SPECIALIST

Specialist for Product Classification in Customs Management

/SAPSLL/WCR_CU_MDT_SPECIALIST

Master Data Specialist in Customs Management

/SAPSLL/WCR_ECR_SPECIALIST

Intrastat Declarations Specialist in Electronic Compliance Reporting

/SAPSLL/WCR_GTS_HOME

Main Entry for SAP Global Trade Services This role is only relevant for Web-UI features.

/SAPSLL/WCR_RI_PRE_SPECIALIST

Preference Processing Specialist

Standard Authorization Objects Standard Authorization Objects for Business Processes Authorization Object GTS_SPLEXT

24 /52

Field

Description

■

/SAPSLL/LR (Legal Regulation)

■

■

Legal Control: Sanctioned Party List: Author. /SAPSLL/OR (Foreign Trade Organizational LegReg + FTORG Unit ) ACTVT (Activity)

PUBLIC

2012-06-15

5

Authorizations

Authorization Object GTS_SPL

GTS_SPL_UI

GTS_RES

GTS_REX

GTS_PR_LRG

GTS_PRE

GTS_LOC

GTS_LMGM

GTS_LM_FTO

Field

Description

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

■


■

■

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

Preference Processing: Authorization for Legal Regulation

■


Letter of Credit Processing: Legal Regulation

■

ACTVT (Activity)

■


■

/SAPSLL/LT (License Type)

■

ACTVT (Activity)

■

/SAPSLL/OR (Foreign Trade Organizational

In addition to the overall values mentioned below the table, you can use the following values with this authorization object: 08 for Display change documents ■ 16 for Execute (e.g. SPL-Screening) ■ 43 for Release (e.g. Blocked BP or CD) ■ 91 for Reactivate (e.g. Reactivate a SPL ■ entity) A9 for Send (e.g. Forward or escalate ■ function) DL for Download ■ H1 for Deactivate (e.g. Deactivate a SPL ■ entity) UL for Upload ■ Restitution: Authorization for Legal Regulation

Legal Control: Re-Export: Authorization GG + /SAPSLL/OR (Foreign Trade Organizational FTORG Unit ) ACTVT (Activity)

Unit ) ■

Leg. Control: Sanctioned Party List: Auth. f. Legal Regulatn

Customs Product Master: Authorization for Legal Regulation

Authorization for Legal Regulation / License Type

License: Authorization for Foreign Trade Organizational Unit

ACTVT (Activity)

NOTE

Authorization check for licenses: When you display or change business objects that are set up with the technical object of the license, the system checks whether the user has authorization for the assigned foreign trade organizations. The system uses a technical license to cover the following business objects:

2012-06-15

PUBLIC

25 /52

5

Authorizations

Authorization Object

Field

Description

Licenses in the legal control export and the legal control import Authorizations and securities ■ during the processing of customs procedures and transit procedures Securities during the ■ restitution Letters of credit during letter ■ of credit processing Therefore, you must assign the authorization object GTS_LM_FTO to each foreign trade organizational unit in the authorization maintenance for individual users. ■

GTS_LLNS

GTS_LDT

GTS_EMB

GTS_CUS

GTS_CD_LRG

GTS_CD_FTO

■

/SAPSLL/TS (Numbering Scheme for

Customs Tariff System) ACTVT (Activity)

■

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

■


■

ACTVT (Activity)

■

/SAPSLL/OR (Foreign Trade Organizational

Unit ) GTS_CD_CDT

GTS_BP_LRG

GTS_BO_LRG

GTS_AU_INT

GTS_AU_EXT

/ECRS/POI

Numbering Scheme: Authoriz. for Tariff Syst. Struct. Segment Leg. Cntrl: License Determination: Auth. f. Legal Regulation Legal Control: Embargo: Authorization for Legal Regulation Customs Processing: Authorization at Legal Regulation Level Customs Document: Authorization for Legal Regulation Customs Document: Authorization for Foreign Trade Org. Unit

■

ACTVT (Activity)

■

/SAPSLL/ED (Document

■

ACTVT (Activity)

■


■

ACTVT (Activity)

■


■

/SAPSLL/BY (BOP Category)

■

ACTVT (Activity)

■

/SAPSLL/AU (Administrative Unit )

■

ACTVT (Activity)

■

/SAPSLL/AU (Administrative Unit )

■

ACTVT (Activity)

Preference Processing: External Authorization for Admin.Unit

■

/ECRS/RPC (Country of Declaration (ISO

Edit Provider of Information

Type)

Customs Document: Authorization for Document Type Customs Business Partner: Authorization for Legal Regulation Customs Worklist: Authoriz. for Legal Regul./ Worklist Catgy Preference Processing: Internal Authorization for Admin.Unit

Code))

26 /52

■

/ECRS/POI (Provider of Information ID)

■

ACTVT (Activity)

PUBLIC

2012-06-15

5

Authorizations

Authorization Object /ECRS/RP

Field ■

Description


Edit Intrastat Declarations

Code))

/ECRS/DVI

■


■

ACTVT (Activity)

■


Edit Default Values for Import

Code))

/ECRS/WL

■


■

ACTVT (Activity)

■


Edit Worklist

Code)) ■


■

ACTVT (Activity)

NOTE

The values for the determining fields that are specific to SAP Global Trade Services starting with /SAPSLL/* are variables. You can determine the variables, for example, based on the business process. For the ACTVT field, you can use the standard values, for example the following: ■

01 for create

■

02 for change

■

03 for display

■

06 for delete

Additional authorization objects are necessary for functions from the underlying SAP NetWeaver basis for SAP Global Trade Services, for example, when working with ALV lists. Also specific authorization objects are needed for additional basis technology applied in SAP Global Trade Services, for example, when using functions of SAP Case Management.

2012-06-15

PUBLIC

27 /52


6


6.1

Communication Channel Security

6 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the database or files of the backend system. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP Global Trade Services is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP Global Trade Services. Details that specifically apply to the SAP

Global Trade Services are described in the following topics: ■

Communication Channel Security This topic describes the communication paths and protocols used by SAP Global Trade Services.

■

Network Security This topic describes the security requirements for communication destinations that you should consider for SAP Global Trade Services. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate SAP Global Trade Services.

■

Communication Destinations This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following topics in the SAP NetWeaver Security Guide at help.sap.com/nw703

http://

Security Information Security Guide :

■


■

Security Guides for Connectivity and Interoperability Technologies

6.1 Communication Channel Security Since communication channels are used to transfer various business data, you should protect them from unauthorized access. SAP provides general recommendations and technology to protect your system landscape based on SAP NetWeaver.

2012-06-15

PUBLIC

29 /52

6


6.2

Network Security CAUTION

To achieve a secure system landscape, you should activate Secure Network Communication (SNC) for RFC and Secure Socket Layer (SLL) protocol. The following table shows the communication channels used by SAP Global Trade Services, the protocol used for the connection, and the type of data transferred. The table below shows the communication paths used by SAP Global Trade Services, the protocol used for the connection, and the type of data transferred. Communication Paths for Business Processes of SAP Global Trade Services Communication Path

Protocol Used Type of Data Transferred

Data Requiring Special Protection

Front-end client using SAP GUI DIAG for Windows to AS ABAP

All application data

Passwords

Application to feeder system, for RFC example, plug-in

Master data and business transaction data

N/A

Application server to third-party HTTP application

System ID, client, and host name

System information (that is, host name)

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see the SAP NetWeaver Security Guide at Information ■

Security Guide



Security

Transport Layer Security .

Enabling SSL (HTTPS) for SAP NetWeaver Application Server 7.0

The electronic exchange of business data between SAP Global Trade Services and a connected external system, for example, the converter system for communication processes with the Customs authorities, must also be protected from unauthorized access. As far as the automatic authentication of the participating systems is concerned, SAP Global Trade Services relies on the exchange of certificates, which guarantees state-of-the-art security. The communication within the system landscape for SAP Global Trade Services can be made secure using HTTPS (SSL). For more information, SSL (HTTPS) for SAP NetWeaver Application Server 7.03 see the following topics of the SAP NetWeaver Security Guide at including Enhancement Package 3




Security Guide (English)

SAP NetWeaver 7.0


Transport Layer Security(See section Additional Information) Using

SLL .

6.2 Network Security SAP Global Trade Services is based on SAP NetWeaver. Therefore, the relevant Security Guides for SAP NetWeaver are also relevant for SAP Global Trade Services. For more information about network security of the underlying SAP NetWeaver, see the SAP NetWeaver Security Guide at

30 /52

PUBLIC

http://

2012-06-15

6


6.3

Communication Destinations

help.sap.com/nw703

Security Information Security Guide

Network and Communication Security and in

particular the following topics: ■

Network Services

This topic contains information about services and ports used by SAP NetWeaver. ■

Using Firewall Systems for Access Control

This topic contains information about contains information about firewall settings. ■

Using Multiple Network Zones

This topic contains information about the network segments in which individual parts of your application are to be set up. For an overview of the network security used in the individual application areas of SAP Global Trade Services, see the section Technical System Landscape of the SAP Global Trade Services Secur ity Guide.

6.3 Communication Destinations For connecting your SAP Global Trade Services with the feeder systems of the logistics processes or the converter system for the communication with the authorities, you must set up the system communication. For more information, see the Configuration Information for SAP Global Trade Services on SAP Service Marketplace at


Installations and Upgrades - Entry by Application Group Global Trade Services

SAP Installations and Upgrades

SAP Solutions for Governance, Risk and Compliance

SAP

Installation and Upgrade .

CAUTION

Users and authorizations for connection destinations can cause high security flaws if used carelessly. Therefore, note the following security rules for communication between two systems: ■

Use the user types system and communication.

■

Assign only the minimum required authorizations to the user.

■

Choose a secure and secret password for the user system

■

Store only connection user logon data for users of type.

■

Choose trusted system functionality when ever possible instead of storing connection user logon data.

2012-06-15

PUBLIC

31 /52


7

Data Storage Security

7 Data Storage Security

SAP Global Trade Services is based on SAP NetWeaver. Therefore, the information for data storage security for SAP NetWeaver also applies to SAP Global Trade Services. For more information, see the SAP NetWeaver Security Guide at Package 3


Security Information Security Guide

SAP NetWeaver 7.0 including Enhancement

SAP NetWeaver Security Guide Network and Communication

Security

2012-06-15

PUBLIC

33 /52


8

Security for Additional Applications

8 Security for Additional Applications

The additional applications you might use with SAP Global Trade Services include converter software for which the software provider has its own security guidelines. These have been tried and tested by SAP and you should refer to these guidelines when implementing converter software for communication with customs, for example.

2012-06-15

PUBLIC

35 /52


9

Dispensable Functions with Impacts on Security

9 Dispensable Functions with Impacts on Security

All activated functions that are delivered with SAP Global Trade Services are necessary to run the business scenarios and processes. There are no dispensable functions impacting security.

2012-06-15

PUBLIC

37 /52


10

Enterprise Services Security

10 Enterprise Services Security

The following chapters in the SAP NetWeaver Security Guide are relevant for all enterprise services delivered with application: http://service.sap.com/securityguide

SAP NetWeaver 7.0x Security Guides (Complete)

SAP

NetWeaver 7.0 EhP3 Security Guides (Online Version) ■


■


■

Security Guide for Usage Type PI

■

Web Services Security

■

Security Guide Communication Interfaces

■

Security Guides for Operating System and Database Platforms

■

Security Aspects for System Management

■

Enabling Application-to-Application Processes: Security Aspects

■

Enabling Business-to-Business Processes: Security Aspects

For more information about special security requirements for Web services, see the Developer’s Guides at


Information

Developer’s Guides Fundamentals Using Java Core Development Tasks

Services Web Service Toolset

2012-06-15


Development

Providing and Consuming Web

Web Services Security .

PUBLIC

39 /52


11

Trace and Log Files

11 Trace and Log Files

Changes to master data and transactions in SAP Global Trade Services can be made using change documents. Errors in process flows are logged using the standard SAP Application Log tool. For more information about the use and setup of application logs in general, see SAP Library for SAP NetWeaver at Library



SAP

SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability

See section Integration -> Application LogApplication Log (BC-SRV-BAL)

For auditing user action SAP Global Trade Services uses standard SAP NetWeaver technology for its system logs and traces. For more information, see the Technical Operations Guide for SAP NetWeaver at



SAP Library

NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability User Administration

Additional System Security

SAP

Security and

Security Audit Log Tools

The application logs for SAP Global Trade Services are included in the SAP Global Trade Services Operation Guide. For more information, see Upgrades

Installation and Upgrade Guides


Analytics

Governance, Risk, and Compliance

Installations and Global Trade Services

SAP Global Trade Services also provides change documents for the following objects to file all changes made to these objects. The change documents can be accessed from the object-specific monitors in the application due to their relation of the process. SAP Global Trade Services uses the SAP NetWeaver technology for change documents. ■

/SAPSLL/BOPHD (GTS: Bill of Product ) – Bill of Materials for Restitution Handling

■

/SAPSLL/BP (Business Partner )

■

/SAPSLL/CTSGEN (Legal and Logistics Services: Customs Tariff Numbers ) – Tariff Numbers

■

/SAPSLL/CUHD (SLL: Customs Document / Shipment ) – Customs Documents, Customs Declarations and

Customs Shipments ■

/SAPSLL/CUPED (GTS: Header for Period Entries) – Supplementary Customs Declaration

■

/SAPSLL/LCLIC (SLL: Legal Control: License) – License for Legal Control in the Compliance

Management Area ■

/SAPSLL/LCPRO (Project Master ) – Projects for License Assignment in Legal Control in the Compliance

Management Area ■

/SAPSLL/LC_CUSB (GTS: Duty Rates) – Customs Duty Rates

■

/SAPSLL/PR – (Customs Product )

■

/SAPSLL/PREVD (GTS: Vendor Declarations) – Long-Term Vendor Declarations

2012-06-15

PUBLIC

41 /52

11

■

Trace and Log Files

/SAPSLL/TSPL (Legal & Logistics Services: LC: SPL Master (Header Data) ) – Master Data for Sanctioned

Party List Screening in the Compliance Management Area For information about the use of change documents in gen eral, see SAP Library for SAP NetWeaver at http://help.sap.com/nw703

Function-Oriented View SAP NetWeaver by Key Capability Application

Platform by Key Capability ABAP Technology

ABAP Workbench (BC-DWB) BC Extended Applications Function

Library.

42 /52

PUBLIC

2012-06-15

12

Other Security-Relevant Information

12 Other Security-Relevant Information

Virus Checking of Document Attachments

SAP Global Trade Services provides the opportunity to check documents that are attached to messages or XML files for data upload with a virus scanner before they are stored in the data base. For checking uploaded files against viruses, the following virus scan profiles that are delivered by SAP must be activated: ■

●

/SCET/GUI_UPLOAD

■

●

/SIHTTP/HTTP_UPLOAD

To use these profiles, you must have configured a virus scanner correctly. For more information, see SAP Customizing in your SAP Global Trade Services by entering transaction code SPRO and choosing SAP Reference IMG SAP NetWeaver Application Server

System Administration Virus Scanner Interface .

In addition, refer to the following SAP Notes about configuration information for the virus scanner interface. ■

797108 (Virus scan interface (VSI): Changes and releases )

■

851789 (Virus-scan-profiles delivered by SAP )

■

817623 (Integrating a virus scan in SAP applications )

Activated virus scan profiles without a correctly configured virus scanner result in error messages during the file upload in SAP Global Trade Services.

2012-06-15

PUBLIC

43 /52


A

Appendix

A.1

Additional Related Guides

A Appendix

A.1 Additional Related Guides You can use the following guides for SAP Global Trade Services for additional information about the system landscape and its requirements: ■

Master Guide

■

Operation Guide

■

Configuration Guide

You can access these guide on SAP Service Marketplace at Installations and Upgrades and Compliance

Installations and Upgrades

SAP Global Trade Services


SAP

Installation and Upgrade Guides Analytics Governance, Risk

You can find more guides related to the SAP NetWeaver platform on SAP Service Marketplace at http://service.sap.com/installnw703

2012-06-15

.

PUBLIC

45 /52


B

Reference

B.1

The Main SAP Documentation Types

B Reference

B.1 The Main SAP Documentation Types The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software. Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as

well as many glossary entries in English and German. ■

Target group: ●

■

Relevant for all target groups

Current version: ●

On SAP Help Portal at

http://help.sap.com

Additional Information Glossary (direct

access) or Terminology (as terminology CD) ●

In the SAP system in transaction STERM

SAP Library is a collection of documentation for SAP software covering functions and processes. ■

■

Target group: ●

Consultants

●

System administrators

●

Project teams for implementations or upgrades


On SAP Help Portal at http://help.sap.com

The security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available f or SAP NetWeaver. This document contains general guidelines and suggestions. SAP applications have a security guide of their own. ■

■

Target group: ●


●

Technology consultants

●

Solution consultants


On SAP Service Marketplace at http://service.sap.com/securityguide

Implementation

The master guide is the starting point for implementing an SAP solution. It lists the required installable units for each business or IT scenario. It provides scenario-specific descriptions of preparation,

2012-06-15

PUBLIC

47 /52

B

Reference

B.1


execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes. ■

■

Target group: ●


●

Project teams for implementations


On SAP Service Marketplace at http://service.sap.com/instguides

The installation information describe the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any businessrelated configuration. ■

■

Target group: ●


●




Configuration Documentation – is available in SAP Solution Manager or as Configuration Guides.

SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business and IT scenarios. It contains Customizing activities, transactions, and so on, as well as documentation. ■

■

Target group: ●


●


●



In SAP Solution Manager

●

For Configuration Guides at


Installations and Upgrades - Entry by Application Group SAP Global Trade Services

SAP Installations and Upgrades

SAP Solutions for Governance, Risk and Compliance

Installation and Upgrade .

The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The Customizing activities and their documentation are structured from a functional perspective. (In order to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.) ■

■

Target group: ●


●

Project teams for implementations or upgrades


48 /52

In the SAP menu of the SAP system under

Tools

PUBLIC

Customizing

IMG

2012-06-15

B

Reference

B.1


Production Operation

The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master data maintenance, transports, and tests. ■

Target group: ●

■




The solution operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks. ■

■

Target group: ●


●


●




Upgrade

The upgrade information in the master guide is the starting point for upgrading the business and IT scenarios of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an upgrade. It also refers to other documents, such as the u pgrade guides and SAP Notes. ■

■

Target group: ●


●

Project teams for upgrades



The upgrade information describe the technical upgrade of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration. ■

■

Target group: ●


●




Release notes are documents that contain short descriptions of new features in a particular r elease or

changes to existing features since the previous release. Release notes about ABAP developments are the

2012-06-15

PUBLIC

49 /52

B

Reference

B.1


technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG). ■

■

Target group: ●

Consultants

●



On SAP Service Marketplace at http://service.sap.com/releasenotes

●

In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

Documentation in the SAP Service Marketplace

You can find this document at the following address: http://service.sap.com/securityguide

50 /52

PUBLIC

2012-06-15

123741248-SAP-GTS-guide.pdf

Recommend Documents