Security Guide SAP Global Trade Services 10.1 Target Audience Technical Consultants ■ System Administrators ■
PUBLIC Document version: 1.0 – 2012-06-15
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
© Copyright 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries al l over the world. All other product and service names mentione d are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP Support Services and may not be modified or altered in any way.
2 /52
PUBLIC
2012-06-15
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
© Copyright 2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. No part of this publication may be reproduced or transmitted in any form or for any purpose with out the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries al l over the world. All other product and service names mentione d are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Disclaimer
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP Support Services and may not be modified or altered in any way.
2 /52
PUBLIC
2012-06-15
Typographic Conventions
Example
Description
Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your ”.
Example Example
Arrows separating the parts of a navigation path, for example, menu options
Example
Emphasized words or expressions
Example
Words or characters that you enter in the system exactly as they appear in the documentation
http://www.sap.com
Textual cross-references to an internet address
/example
Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456
Hyperlink to an SAP Note, for example, SAP Note 123456
Example
■
■
Example
■ ■ ■
EXAMPLE
EXAMPLE
2012-06-15
Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. Cross-references to other documentation or published works Output on the screen following a user action, for example, messages Source code or syntax quoted directly from a program File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools
Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE Keys on the keyboard
PUBLIC
3 /52
Document History
CAUTION
Before you start the implementation, make sure you have the latest version of this document. You can find the latest version on SAP Service Marketplace at: SAP Softwa Software re Downloa Downloadd
SAP Softwa Software re Downloa Downloadd Center
Upgrad Upg radee Gui Guides des - Ent Entry ry by App Applica licatio tionn Gro Group up Servi Se rvices ces
http://service.sap.com/swdc
Installations Install ations and Upgrade Upgradess
Installations Instal lations and
Analyt Ana lytics ics Gove Governa rnance, nce, Ris Risk, k, and Comp Complian liance ce
Global Glob al Tra Trade de
e> Se Secur curit ityy Gu Guid idee .
The following table provides an overview of the most important document changes. Version
Date
Description
1.0
2012-06-15
Public
4 /52
PUBLIC
2012-06-15
Table of Contents
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 3
Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4
User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1
User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2
User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3
Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 5
Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 6
Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1
Communication Ch Channel Se Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2
Networ k Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.3
Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 7
Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 8
Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 9
Dispensable Functions with Impacts on Security . . . . . . . . . . . . . . . . . . . 37
Chapter 10
Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 11
Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 12
Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter A
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.1
Additional Related Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2012-06-15
PUBLIC
5 /52
Chapter B
Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
B.1
The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6 /52
PUBLIC
2012-06-15
1
Introduction
1 Introduction
CAUTION
This guide does not replace the administration or operation guides that are available for productive operations. This document is not included as part of the Installation Information, Configuration Guides, or Technical Operation Manuals. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases. Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. Data protection is of particular importance in the area of sanctioned party list (SPL) screening, for example, where sensitive data from Human Capital Management of SAP ERP (SAP ERP HCM) should not be able to be viewed or modified by unauthorized persons. This access to sensitive data can be controlled by the enhanced authorization concept that enables administrators to restrict the authorized users to specifically selected users from one foreign trade organization, for example. The security measures available ensure that the SPL screening results of business partners from “sensitive” countries can only be viewed or modified by employees who are either from the same country or from the same country group User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the business scenarios of SAP Global Trade Services. To assist you in securing the SAP Global Trade Services, we provide this Security Guide. About This Document
The Security Guide provides an overview of the security-relevant information that applies to the SAP Global Trade Services. Since SAP Global Trade Services is based on and runs SAP NetWeaver technology, read the Security Guide for SAP NetWeaver at
http://help.sap.com/nw703
Security Information Security Guide . All
Security Guides published by SAP are available on SAP Service Marketplace at http:// service.sap.com/securityguide
2012-06-15
PUBLIC
7 /52
1
Introduction
The Security Guide for SAP Global Trade Services contains security-relevant information about the following application areas within SAP Global Trade Services ■
Customs Processing
■
Compliance Management
■
Preference Processing
■
Letter of Credit
■
Restitution
■
Electronic Compliance Reporting
This guide is also valid for the export-specific product that is based on SAP Global Trade Services, called SAP Customs Processing for Automated Export Systems (SAP Customs Processing for AES) that is currently available for processing exports using the electronic Cu stoms processes with ATLAS Ausfuhr of the German Customs authorities. Security in the context of these application areas of SAP Global Trade Services comprises the following aspects ■
User authentication
■
Support of Single Sign-On
■
Administration and checking of user authorization to prevent unauthorized access to saved data
■
General access control, including protection of the system against unauthorized external access
■
Safeguarding of data against unauthorized access when business data is being exchanged between SAP Global Trade Services and external systems
In many cases, the required information has already been provided in other Security Guides and in configuration and installation information. In these cases, we have provided a reference to the relevant sections within these guides. Overview of the Main Sections
The Security Guide comprises the following main sections: ■
Before You Start
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide. ■
Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the SAP Global Trade Services. ■
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
■
8 /52
●
Recommended tools to use for user management.
●
User types that are required by the SAP Global Trade Services.
●
Overview of how integration into Single Sign-On environments is possible.
Authorizations
PUBLIC
2012-06-15
1
Introduction
This section provides an overview of the authorization concept that applies to the SAP Global Trade Services. ■
Network and Communication Security
This section provides an overview of the communication paths used by the SAP Global Trade Services and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. ■
Data Storage Security
This section provides an overview of any critical data that is used by the SAP Global Trade Services and the security mechanisms that apply. ■
Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are used with the SAP Global Trade Services. ■
Trace and Log Files
This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur. ■
Appendix
This section provides references to further information. SAP Global Trade Services is based on SAP standard technology of SAP NetWeaver 7.0. This means that only the official precepts of the SAP security strategy are used. The standard tools and mech anisms of the SAP NetWeaver platform are used.
2012-06-15
PUBLIC
9 /52
This page is left blank for documents that are printed on both sides.
2
Before You Start
2 Before You Start
Fundamental Security Guides
The SAP Global Trade Services is an add-on to SAP NetWeaver and its application platform usage types. Therefore, the corresponding Security Guides also apply to the SAP Global Trade Services. Refer to the following specific SAP NetWeaver Security Guides depending on your system landscape as indicated in the table below. All Security Guides can be accessed at Information
http://help.sap.com/nw703
Security
Security Guide
Fundamental SAP NetWeaver Security Guides for SAP Global Trade Services Security Guide
Most-Relevant Sections or Specific Restrictions
SAP NetWeaver 7.0 You can use the overall Security Guide for generic topics, for example, including Administration and Authentication or Network and Communication Strategy Enhancement Package 3 Application Server (AS) for ABAP
User
Necessary for general security issues of basis SAP NetWeaver technology for S AP Global Trade Services
Optional SAP NetWeaver Security Guides for SAP Global Trade Services Security Guide According to Usage Types and Specific Topics
Most-Relevant Sections or Specific Restrictions
Business Intelligence (BI)
Depending upon whether you use BI functions with SAP Global Trade Services for analyzing your processes
Application Server (AS) for Java
When using printing functionality that utilizes the Adobe Document Server (ADS)
SAP Interactive Forms Solution Security Guide
When using print forms in SAP Global Trade Services, for example Customs forms in SAP Customs Management, in addition to the AS for Java For more information, see http://help.sap.com/nw703 Security Information Security Guide Security Guide for SAP NetWeaver According to Usage Types SAP Interactive Forms Based On Adobe Software Security Guide For more information about security-related information for the Adobe Reader, see SAP Note 853497. NOTE
Although SAP Global Trade Services does not use interactive forms, the above-mentioned Security Guide does contain security-related information on topics that are related to
2012-06-15
PUBLIC
11 /52
2
Before You Start
Security Guide According to Usage Types and Specific Topics
Most-Relevant Sections or Specific Restrictions
setting up standard RFC destinations for communicating with the Adobe Document Server and for printing standard Adobe forms in Customs communication processes.
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at
http://
service.sap.com/securityguide.
Important SAP Notes
The most important SAP Notes that apply to the security of the SAP Global Trade Services are shown in the table below. Important SAP Notes SAP Note Number
Title
Comment
1501945
Secure Configuration SAP NW
This note contains information about how the NetWeaver platform can be configured securely.
797108
Virus scan interface (VSI): Changes and releases
SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.
851789
Virus-scan-profiles delivered by SAP
SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.
817623
Integrating a virus scan in SAP applications SAP Notes about configuration information for the virus scanner interface for virus checking attachments, for example in the electronic communication with the authorities.
853497
Adobe Acrobat Reader creates temporary files
SAP Note about using the Acrobat Reader for displaying Adobe attachments or document previews.
In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service Marketplace at https://service.sap.com/securitynotes. Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
12 /52
PUBLIC
2012-06-15
2
Before You Start
Quick Links to Additional Information Content
Security
Quick Link on the SAP Service Marketplace or SDN
http://sdn.sap.com/irj/sdn/security http://service.sap.com/security
Security Guides
https://service.sap.com/securityguide
Related SAP Notes
https://service.sap.com/notes
Released Platforms
https://service.sap.com/pam https://service.sap.com/platforms
Network Security
https://service.sap.com/securityguide https://ervice.sap.com/network
SAP Solution Manager SAP NetWeaver
2012-06-15
https://service.sap.com/solutionmanager http://sdn.sap.com/irj/sdn/netweaver
PUBLIC
13 /52
This page is left blank for documents that are printed on both sides.
3
Technical System Landscape
3 Technical System Landscape
The diagram below shows an overview of the technical system landscape for the software components for running the processes in SAP Global Trade Services.
Figure 1:
Overview of the technical system landscape for running the processes in SAP Global Trade
Services With SAP Global Trade Services, you have an add-on application that receives its data from a feeder system, such as SAP ERP. You can also use non-SAP systems as a feeder system. If you are using an SAP system as your feeder system, then the software components SAP_ABA und SAP_BASIS of SAP NetWeaver ABAP Stack in the feeder system are mandatory together with the plug-in specific to SAP Global Trade Services called SLL_PI 900_* to facilitate communication between the systems. In the system for SAP Global Trade Services, you also need software component SAP_AP in addition to the SAP_ABA and SAP_BASIS. In addition to connecting the feeder systems through the plug-in that communicates with SAP Global Trade Services by Remote Function Calls, you can use interfaces for other system connections. For processing customs procedures, you can use process data from SAP Transportation Management in addition to the logistics data of SAP ERP. The system connection to SAP Transportation Management
2012-06-15
PUBLIC
15 /52
3
Technical System Landscape
is facilitated by SOA services. However, if you are using a non-SAP system, these components are not required. ■
Compliance Management
The Compliance Management area enables you to comply with national and international trade regulations, combining embargo checks, legal import and export controls, and sanctioned party list screening. You can, for example, upload sanctioned party lists in XML file format from thirdparty data providers and screen your business partners against these sanctioned party lists. You can fully integrate the screening process of your feeder system SAP ERP. There you can integrate these checks into your logistics processes of materials management and sales and distribution. You can also choose to integrate sanctioned party list checks into the processes of the finance and human resources modules of SAP ERP as well as the industry solution for financial accounting. ■
Customs Management
The Customs Management area enables you to directly communicate with Customs offices and adhere to the regulations of these national authorities in cross-border trade when placing goods in specific Customs procedures. To facilitate this communication, you need to install converter software. The converter software has its own security guidelines to which you must adhere. This converter software facilitates the mapping of SAP IDocs to EDIFACT messages for the customs offices to read and, in turn, receive EDIFACT messages from, which are then converted to SAP IDocs for SAP Customs Management. The security measures required for communication with third parties in IDoc format are described in the SAP NetWeaver Application Server Security Guides. Communication between the EDI converter and SAP Global Trade Services takes place using standard ALE technology and RFC destinations. For more information about the security measures for this technology, see the SAP NetWeaver Security Guide.
You can print out Adobe forms for customs processes, and to do so you require a connection to the Adobe Document Server. Communication with the Adobe Document Server takes place using standard RFC destinations, and role and user administration. ■
Preference Processing
The Preference Processing area facilitates traders in indicating their goods for preferential customs treatment. This involves handling inbound and outbound long-term vendor declarations as well as determining the preferential status of goods based on long-term vendor declarations and/or the preference determination process. The preferential status is based on long-term vendor declarations relevant for goods externally procured. Goods with procurement types for inhouse production and mixed origin because they were partially produced inhouse and procured externally, the preference determination is used in addition for determining the preferential status. The preference determination is based on procedures and rules for Harmonized System codes in preference agreements. Both, the preference agreements and the codes for classifying the products can be uploaded from a third-party data provider.
16 /52
PUBLIC
2012-06-15
3
■
Technical System Landscape
Letter of Credit
The Letter of Credit area enables traders to mitigate financial risks by working with letters of credit in standard inbound and outbound processes. The letters of cr edit ensure that shipping dates and costs, for example, are agreed and assured by both the importer and the exporter and their representing banks. ■
Restitution Handling
The Restitution Handling area enables exporters to apply for export refunds on common agricultural products. This includes managing and monitoring bank securities and export licenses in a legally compliant manner. ■
Electronic Compliance Reporting
The Electronic Compliance Reporting area enables companies within the European Union to create Intrastat declarations for the authorities. In these Intrastat declarations a company can report goods movements with other states or statistical regions of the European Union of which information is required by the statistical authorities of a country. For more information about the technical system landscape, see the resources listed in the table below. More Information About the Technical System Landscape Quick Link to the SAP Service Marketplace or SDN
Topic
Guide/Tool
Technical description for the SAP Global Trade Services and the underlying technological components such as SAP NetWeaver.
Master Guide
High availability
High Availability for SAP Solutions
Technical landscape design
See applicable documents
http://service.sap.com/swdc
Installations and Upgrades Installation and Upgrade Guides SAP Solutions for Governance, Risk and Compliance SAP Global Trade Services Installation and Upgrade
http://sdn.sap.com/irj/sdn/ha http://sdn.sap.com/irj/sdn/ landscapedesign
Security
2012-06-15
See applicable documents
PUBLIC
http://service.sap.com/security
17 /52
This page is left blank for documents that are printed on both sides.
4
User Administration and Authentication
4.1
User Management
4 User Administration and Authentication
The SAP Global Trade Services uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide also apply to the SAP Global Trade Services. For more information, see
http://help.sap.com/nw703
SAP NetWeaver According to Usage Type
Security Information Security Guide Security Guide for
SAP NetWeaver Application Server ABAP Security Guide .
In addition to these guidelines, we include information about user administration and authentication that specifically applies to the SAP Global Trade Services in the following topics: ■
User Management This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the SAP Global Trade Services.
■
User Data Synchronization The SAP Global Trade Services shares user data with [list sources]. This topic describes how the user data is synchronized with these other sources.
■
Integration Into Single Sign-On Environments This topic describes how the SAP Global Trade Services supports Single Sign-On mechanisms.
4.1 User Management User management for the SAP Global Trade Services uses the mechanisms provided by the SAP NetWeaver AS ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for the SAP Global Trade Services, see the sections below. User Administration Tools
The table below shows the tools to use for user management and user administration with the SAP Global Trade Services. User Management Tools Tool
Description
User and role maintenance with the AS ABAP (Transactions SU01, PFCG User Management Engine with the AS Java
For more information about See SAP NetWeaver Security Guide. Identity Management, see the following topics of the SAP ERP Central Component Security Guide
2012-06-15
Requirements
PUBLIC
19 /52
4
User Administration and Authentication
4.1
User Management
Tool
Description
Requirements
at http://help.sap.com SAP Business Suite SAP ERP SAP ERP Central Component Security Information Security Guide SAP Security Guides SAP ERP SAP ERP Security Guides SAP ERP Central Component Security Guide User Management and Authentication User Administration : User and Role Administration of ■ Application Server ABAP User Management Engine ■ User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types that are required for the SAP Global Trade Services include: ■
Individual users: ●
Dialog users are used for SAP GUI for Windows and are required for individual interactive system access with SAP Global Trade Services
■
Technical users: ●
Service users are used for as dialog user but for larger, anonymous groups of users such as service and support employees.
●
Communication users are used for dialog-free communication for RFC calls. It is required for communication between the feeder system and SAP Global Trade Services as well as between SAP Global Trade Services and the converter technology.
●
Background users are used for starting and monitoring background processing of business transactions.
For more information about these user types, see the SAP NetWeaver Security Guide at help.sap.com/nw703
(English)
SAP NetWeaver 7.0 including Enhancement Package 3
SAP NetWeaver Security Guide
http://
Security Information
Security Guide
Security Guide for SAP NetWeaver According to Usage Type Security
Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide
User Management
User
Types . Standard Users
There are no standard users delivered with SAP Global Trade Services. The system administrator creates the standard dialog users and assigns roles to these users. Template roles are available for user administrators in SAP Global Trade Services. These template roles include, for example, a role for legal control specialist that can be used for export control in the US. The user administrator can use this template role delivered with the system as the basis for creating
20 /52
PUBLIC
2012-06-15
4
User Administration and Authentication
4.2
User Data Synchronization
individually-tailored roles for a specific company. This may involve assigning authorizations to the user profile that only allow the user to work with specific document types or legal regulation(s). This is useful in a sensitive environment such as legal controls, where, for example, data protection is of the utmost importance and only specific employees are allowed to access, display or, indeed, change particular data. For more information about these standard users, see the SAP NetWeaver Security Guide at help.sap.com/nw703
(English)
http://
SAP NetWeaver 7.0 including Enhancement Package 3 Security Information Security Guide
SAP NetWeaver Security Guide
Administration and Authentication
SAP NetWeaver Application Server ABAP Security Guide User Protecting Standard Users .
User Management
Password Rules
For more information about SAP NetWeaver password rules, see the SAP NetWeaver Security Guide at http://help.sap.com/nw703
Security Guide (English) Type
SAP NetWeaver 7.0 including Enhancement Package 3
SAP NetWeaver Security Guide
Security Information
Security Guide for SAP NetWeaver According to Usage
Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide
Administration and Authentication
User
User Authentication:
■
Logon and Password Security in the ABAP System
■
Preventing Unauthorized Logons
■
Recognizing and Preventing Multiple Dialog User Logons
■
Authentication Security for SAP Shortcuts
■
Additional Information on User Authentication
4.2 User Data Synchronization With SAP Global Trade Services you can use the options for user data synchronization that are provided by SAP NetWeaver. For more information about the user data synchronization in SAP NetWeaver, see the SAP NetWeaver Security Guide at
http://help.sap.com/nw703
Security Information
Security Guide
Security Guide for SAP
NetWeaver According to Usage Type SAP NetWeaver Application Server ABAP Security Guide
AS ABAP
Authorization Concept Central User Administration
4.3 Integration Into Single Sign-On Environments The application supports the Single Sign-On (SSO) mechanisms that are provided by the SAP NetWeaver AS ABAP and AS Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and SAP NetWeaver Application Server Java Security Guide also apply to the application.
The most widely-used supported mechanisms are listed below.
2012-06-15
PUBLIC
21 /52
4
User Administration and Authentication
4.3
Integration Into Single Sign-On Environments
■
Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
■
SAP logon tickets The application supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
■
Client certificates As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information about the available authentication mechanisms, see the SAP NetWeaver Security Guide at Information
http://help.sap.com/nw703
Security Guide (English)
SAP NetWeaver 7.0 including Enhancement Package 3
SAP NetWeaver Security Guide
Security
Security Guide for SAP NetWeaver According
to Usage Type Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide Administration and Authentication
22 /52
User Authentication
User
Integration in Single Sign-On Environments .
PUBLIC
2012-06-15
5
Authorizations
5 Authorizations
The recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide also apply to the SAP Global Trade Services. For more information about the authorization
concept, see the SAP NetWeaver Security Guide at Security Guide
http://help.sap.com/nw703
Security Information
Security Guide for SAP NetWeaver According to Usage Types SAP NetWeaver Application Server
ABAP Security Guide
SAP Authorization Concept .
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the SAP NetWeaver AS ABAP. Using authorizations you can limit users’ access to the system and therefore protect transactions and programs from unauthorized access NOTE
You must decide which user should have authorization to display, change, or delete critical data. That is, for example, vital for Human Resources data in the sanctioned party list screening for data protection reasons. For more information about the authorization control see SAP Library for SAP Global Trade Services at Application Help
http://help.sap.com/grc
Global Trade Services
Compliance Management Sanctioned Party List Screening .
Standard Roles
The table below shows the standard roles that are used by SAP Global Trade Services. Single Roles for Business Processes Role
Description
/SAPSLL/LEG_ARCH
SAP GTS: Archiving
/SAPSLL/LEG_CM
SAP GTS: Case Management
/SAPSLL/LEG_LCE_APP
SAP GTS: Legal Control - Export: Specialist
/SAPSLL/LEG_LCI_APP
SAP GTS: Legal Control - Import: Specialist
/SAPSLL/LEG_LOC_APP
SAP GTS: Letter of Credit Processing: Specialist
/SAPSLL/LEG_RES_APP
SAP GTS: Restitution Specialist
/SAPSLL/LEG_SPL_APP
SAP GTS: Sanctioned Party List Screening: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SPL_AUD
SAP GTS: Sanctioned Party List Screening: Screener (Auditor) This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SPL_FI_APP
SAP GTS: Sanctioned Party List Screening Financial Accounting: Specialist
2012-06-15
PUBLIC
23 /52
5
Authorizations
Role
Description
This role is relevant for the sanctioned party list screening features for SAP GUI. /SAPSLL/LEG_SPL_FS_APP
SAP GTS: Sanctioned Party List Screening Financial Services: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SPL_HRAPP_APP
SAP GTS: Sanctioned Party List Screening Human Resources/Applicants: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SPL_HREMP_APP
SAP GTS: Sanctioned Party List Screening Human Resources/Employee: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SPL_LO_APP
SAP GTS: Sanctioned Party List Screening Logistics: Specialist This role is relevant for the sanctioned party list screening features for SAP GUI.
/SAPSLL/LEG_SYS_COMM
SAP GTS: Basis Administration
/SAPSLL/LEG_RFC
Communication Role for RFC Authorization
/SAPSLL/UIX_LEG_SPL_INFREQUENT
Sanctioned Party List Screening for Infrequent Users This role can only be used by the sanctioned party list screening Web-UI.
/SAPSLL/UIX_LEG_SPL_MANAGER
Sanctioned Party List Screening for Compliance Manager This role can only be used by the sanctioned party list screening Web-UI.
/SAPSLL/UIX_LEG_SPL_SPECIALIST
Sanctioned Party List Screening for Compliance Specialist This role can only be used by the sanctioned party list screening Web-UI.
/SAPSLL/UIX_LEG_SPL_SUPER
Sanctioned Party List Screening for Power User This role can only be used by the sanctioned party list screening Web-UI.
/SAPSLL/UIX_LEG_SPL_AUDITOR
Sanctioned Party List Screening for Auditor This role can only be used by the sanctioned party list screening Web-UI.
/SAPSLL/WCR_CU_EXP_SPECIALIST
Export Specialist Customs Management
/SAPSLL/WCR_CU_IMP_SPECIALIST
Import Specialist Customs Management
/SAPSLL/WCR_CU_SCP_SPECIALIST
Specialist for Inventory-Managed Customs Procedures in Customs Management
/SAPSLL/WCR_CU_EMC_SPECIALIST
Specialist for Exise Movement Control in Customs Management
/SAPSLL/WCR_CU_CLS_SPECIALIST
Specialist for Product Classification in Customs Management
/SAPSLL/WCR_CU_MDT_SPECIALIST
Master Data Specialist in Customs Management
/SAPSLL/WCR_ECR_SPECIALIST
Intrastat Declarations Specialist in Electronic Compliance Reporting
/SAPSLL/WCR_GTS_HOME
Main Entry for SAP Global Trade Services This role is only relevant for Web-UI features.
/SAPSLL/WCR_RI_PRE_SPECIALIST
Preference Processing Specialist
Standard Authorization Objects Standard Authorization Objects for Business Processes Authorization Object GTS_SPLEXT
24 /52
Field
Description
■
/SAPSLL/LR (Legal Regulation)
■
■
Legal Control: Sanctioned Party List: Author. /SAPSLL/OR (Foreign Trade Organizational LegReg + FTORG Unit ) ACTVT (Activity)
PUBLIC
2012-06-15
5
Authorizations
Authorization Object GTS_SPL
GTS_SPL_UI
GTS_RES
GTS_REX
GTS_PR_LRG
GTS_PRE
GTS_LOC
GTS_LMGM
GTS_LM_FTO
Field
Description
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
■
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
Preference Processing: Authorization for Legal Regulation
■
/SAPSLL/LR (Legal Regulation)
Letter of Credit Processing: Legal Regulation
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
/SAPSLL/LT (License Type)
■
ACTVT (Activity)
■
/SAPSLL/OR (Foreign Trade Organizational
In addition to the overall values mentioned below the table, you can use the following values with this authorization object: 08 for Display change documents ■ 16 for Execute (e.g. SPL-Screening) ■ 43 for Release (e.g. Blocked BP or CD) ■ 91 for Reactivate (e.g. Reactivate a SPL ■ entity) A9 for Send (e.g. Forward or escalate ■ function) DL for Download ■ H1 for Deactivate (e.g. Deactivate a SPL ■ entity) UL for Upload ■ Restitution: Authorization for Legal Regulation
Legal Control: Re-Export: Authorization GG + /SAPSLL/OR (Foreign Trade Organizational FTORG Unit ) ACTVT (Activity)
Unit ) ■
Leg. Control: Sanctioned Party List: Auth. f. Legal Regulatn
Customs Product Master: Authorization for Legal Regulation
Authorization for Legal Regulation / License Type
License: Authorization for Foreign Trade Organizational Unit
ACTVT (Activity)
NOTE
Authorization check for licenses: When you display or change business objects that are set up with the technical object of the license, the system checks whether the user has authorization for the assigned foreign trade organizations. The system uses a technical license to cover the following business objects:
2012-06-15
PUBLIC
25 /52
5
Authorizations
Authorization Object
Field
Description
Licenses in the legal control export and the legal control import Authorizations and securities ■ during the processing of customs procedures and transit procedures Securities during the ■ restitution Letters of credit during letter ■ of credit processing Therefore, you must assign the authorization object GTS_LM_FTO to each foreign trade organizational unit in the authorization maintenance for individual users. ■
GTS_LLNS
GTS_LDT
GTS_EMB
GTS_CUS
GTS_CD_LRG
GTS_CD_FTO
■
/SAPSLL/TS (Numbering Scheme for
Customs Tariff System) ACTVT (Activity)
■
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/OR (Foreign Trade Organizational
Unit ) GTS_CD_CDT
GTS_BP_LRG
GTS_BO_LRG
GTS_AU_INT
GTS_AU_EXT
/ECRS/POI
Numbering Scheme: Authoriz. for Tariff Syst. Struct. Segment Leg. Cntrl: License Determination: Auth. f. Legal Regulation Legal Control: Embargo: Authorization for Legal Regulation Customs Processing: Authorization at Legal Regulation Level Customs Document: Authorization for Legal Regulation Customs Document: Authorization for Foreign Trade Org. Unit
■
ACTVT (Activity)
■
/SAPSLL/ED (Document
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
ACTVT (Activity)
■
/SAPSLL/LR (Legal Regulation)
■
/SAPSLL/BY (BOP Category)
■
ACTVT (Activity)
■
/SAPSLL/AU (Administrative Unit )
■
ACTVT (Activity)
■
/SAPSLL/AU (Administrative Unit )
■
ACTVT (Activity)
Preference Processing: External Authorization for Admin.Unit
■
/ECRS/RPC (Country of Declaration (ISO
Edit Provider of Information
Type)
Customs Document: Authorization for Document Type Customs Business Partner: Authorization for Legal Regulation Customs Worklist: Authoriz. for Legal Regul./ Worklist Catgy Preference Processing: Internal Authorization for Admin.Unit
Code))
26 /52
■
/ECRS/POI (Provider of Information ID)
■
ACTVT (Activity)
PUBLIC
2012-06-15
5
Authorizations
Authorization Object /ECRS/RP
Field ■
Description
/ECRS/RPC (Country of Declaration (ISO
Edit Intrastat Declarations
Code))
/ECRS/DVI
■
/ECRS/POI (Provider of Information ID)
■
ACTVT (Activity)
■
/ECRS/RPC (Country of Declaration (ISO
Edit Default Values for Import
Code))
/ECRS/WL
■
/ECRS/POI (Provider of Information ID)
■
ACTVT (Activity)
■
/ECRS/RPC (Country of Declaration (ISO
Edit Worklist
Code)) ■
/ECRS/POI (Provider of Information ID)
■
ACTVT (Activity)
NOTE
The values for the determining fields that are specific to SAP Global Trade Services starting with /SAPSLL/* are variables. You can determine the variables, for example, based on the business process. For the ACTVT field, you can use the standard values, for example the following: ■
01 for create
■
02 for change
■
03 for display
■
06 for delete
Additional authorization objects are necessary for functions from the underlying SAP NetWeaver basis for SAP Global Trade Services, for example, when working with ALV lists. Also specific authorization objects are needed for additional basis technology applied in SAP Global Trade Services, for example, when using functions of SAP Case Management.
2012-06-15
PUBLIC
27 /52
This page is left blank for documents that are printed on both sides.
6
Network and Communication Security
6.1
Communication Channel Security
6 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the database or files of the backend system. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP Global Trade Services is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP Global Trade Services. Details that specifically apply to the SAP
Global Trade Services are described in the following topics: ■
Communication Channel Security This topic describes the communication paths and protocols used by SAP Global Trade Services.
■
Network Security This topic describes the security requirements for communication destinations that you should consider for SAP Global Trade Services. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate SAP Global Trade Services.
■
Communication Destinations This topic describes the information needed for the various communication paths, for example, which users are used for which communications.
For more information, see the following topics in the SAP NetWeaver Security Guide at help.sap.com/nw703
http://
Security Information Security Guide :
■
Network and Communication Security
■
Security Guides for Connectivity and Interoperability Technologies
6.1 Communication Channel Security Since communication channels are used to transfer various business data, you should protect them from unauthorized access. SAP provides general recommendations and technology to protect your system landscape based on SAP NetWeaver.
2012-06-15
PUBLIC
29 /52
6
Network and Communication Security
6.2
Network Security CAUTION
To achieve a secure system landscape, you should activate Secure Network Communication (SNC) for RFC and Secure Socket Layer (SLL) protocol. The following table shows the communication channels used by SAP Global Trade Services, the protocol used for the connection, and the type of data transferred. The table below shows the communication paths used by SAP Global Trade Services, the protocol used for the connection, and the type of data transferred. Communication Paths for Business Processes of SAP Global Trade Services Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Front-end client using SAP GUI DIAG for Windows to AS ABAP
All application data
Passwords
Application to feeder system, for RFC example, plug-in
Master data and business transaction data
N/A
Application server to third-party HTTP application
System ID, client, and host name
System information (that is, host name)
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see the SAP NetWeaver Security Guide at Information ■
Security Guide
Network and Communication Security
http://help.sap.com/nw703
Security
Transport Layer Security .
Enabling SSL (HTTPS) for SAP NetWeaver Application Server 7.0
The electronic exchange of business data between SAP Global Trade Services and a connected external system, for example, the converter system for communication processes with the Customs authorities, must also be protected from unauthorized access. As far as the automatic authentication of the participating systems is concerned, SAP Global Trade Services relies on the exchange of certificates, which guarantees state-of-the-art security. The communication within the system landscape for SAP Global Trade Services can be made secure using HTTPS (SSL). For more information, SSL (HTTPS) for SAP NetWeaver Application Server 7.03 see the following topics of the SAP NetWeaver Security Guide at including Enhancement Package 3
http://help.sap.com/nw703
Security Information
Network and Communication Security
Security Guide (English)
SAP NetWeaver 7.0
SAP NetWeaver Security Guide
Transport Layer Security(See section Additional Information) Using
SLL .
6.2 Network Security SAP Global Trade Services is based on SAP NetWeaver. Therefore, the relevant Security Guides for SAP NetWeaver are also relevant for SAP Global Trade Services. For more information about network security of the underlying SAP NetWeaver, see the SAP NetWeaver Security Guide at
30 /52
PUBLIC
http://
2012-06-15
6
Network and Communication Security
6.3
Communication Destinations
help.sap.com/nw703
Security Information Security Guide
Network and Communication Security and in
particular the following topics: ■
Network Services
This topic contains information about services and ports used by SAP NetWeaver. ■
Using Firewall Systems for Access Control
This topic contains information about contains information about firewall settings. ■
Using Multiple Network Zones
This topic contains information about the network segments in which individual parts of your application are to be set up. For an overview of the network security used in the individual application areas of SAP Global Trade Services, see the section Technical System Landscape of the SAP Global Trade Services Secur ity Guide.
6.3 Communication Destinations For connecting your SAP Global Trade Services with the feeder systems of the logistics processes or the converter system for the communication with the authorities, you must set up the system communication. For more information, see the Configuration Information for SAP Global Trade Services on SAP Service Marketplace at
http://service.sap.com/swdc
Installations and Upgrades - Entry by Application Group Global Trade Services
SAP Installations and Upgrades
SAP Solutions for Governance, Risk and Compliance
SAP
Installation and Upgrade .
CAUTION
Users and authorizations for connection destinations can cause high security flaws if used carelessly. Therefore, note the following security rules for communication between two systems: ■
Use the user types system and communication.
■
Assign only the minimum required authorizations to the user.
■
Choose a secure and secret password for the user system
■
Store only connection user logon data for users of type.
■
Choose trusted system functionality when ever possible instead of storing connection user logon data.
2012-06-15
PUBLIC
31 /52
This page is left blank for documents that are printed on both sides.
7
Data Storage Security
7 Data Storage Security
SAP Global Trade Services is based on SAP NetWeaver. Therefore, the information for data storage security for SAP NetWeaver also applies to SAP Global Trade Services. For more information, see the SAP NetWeaver Security Guide at Package 3
http://help.sap.com/nw703
Security Information Security Guide
SAP NetWeaver 7.0 including Enhancement
SAP NetWeaver Security Guide Network and Communication
Security
2012-06-15
PUBLIC
33 /52
This page is left blank for documents that are printed on both sides.
8
Security for Additional Applications
8 Security for Additional Applications
The additional applications you might use with SAP Global Trade Services include converter software for which the software provider has its own security guidelines. These have been tried and tested by SAP and you should refer to these guidelines when implementing converter software for communication with customs, for example.
2012-06-15
PUBLIC
35 /52
This page is left blank for documents that are printed on both sides.
9
Dispensable Functions with Impacts on Security
9 Dispensable Functions with Impacts on Security
All activated functions that are delivered with SAP Global Trade Services are necessary to run the business scenarios and processes. There are no dispensable functions impacting security.
2012-06-15
PUBLIC
37 /52
This page is left blank for documents that are printed on both sides.
10
Enterprise Services Security
10 Enterprise Services Security
The following chapters in the SAP NetWeaver Security Guide are relevant for all enterprise services delivered with application: http://service.sap.com/securityguide
SAP NetWeaver 7.0x Security Guides (Complete)
SAP
NetWeaver 7.0 EhP3 Security Guides (Online Version) ■
User Administration and Authentication
■
Network and Communication Security
■
Security Guide for Usage Type PI
■
Web Services Security
■
Security Guide Communication Interfaces
■
Security Guides for Operating System and Database Platforms
■
Security Aspects for System Management
■
Enabling Application-to-Application Processes: Security Aspects
■
Enabling Business-to-Business Processes: Security Aspects
For more information about special security requirements for Web services, see the Developer’s Guides at
http://help.sap.com/nw703
Information
Developer’s Guides Fundamentals Using Java Core Development Tasks
Services Web Service Toolset
2012-06-15
SAP NetWeaver 7.0 including Enhancement Package 3
Development
Providing and Consuming Web
Web Services Security .
PUBLIC
39 /52
This page is left blank for documents that are printed on both sides.
11
Trace and Log Files
11 Trace and Log Files
Changes to master data and transactions in SAP Global Trade Services can be made using change documents. Errors in process flows are logged using the standard SAP Application Log tool. For more information about the use and setup of application logs in general, see SAP Library for SAP NetWeaver at Library
SAP NetWeaver 7.0 including Enhancement Package 3
http://help.sap.com/nw703
SAP
SAP NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability
See section Integration -> Application LogApplication Log (BC-SRV-BAL)
For auditing user action SAP Global Trade Services uses standard SAP NetWeaver technology for its system logs and traces. For more information, see the Technical Operations Guide for SAP NetWeaver at
http://help.sap.com/nw703
SAP NetWeaver 7.0 including Enhancement Package 3
SAP Library
NetWeaver SAP NetWeaver by Key Capability Solution Life Cycle Management by Key Capability User Administration
Additional System Security
SAP
Security and
Security Audit Log Tools
The application logs for SAP Global Trade Services are included in the SAP Global Trade Services Operation Guide. For more information, see Upgrades
Installation and Upgrade Guides
http://service.sap.com/swdc
Analytics
Governance, Risk, and Compliance
Installations and Global Trade Services
SAP Global Trade Services also provides change documents for the following objects to file all changes made to these objects. The change documents can be accessed from the object-specific monitors in the application due to their relation of the process. SAP Global Trade Services uses the SAP NetWeaver technology for change documents. ■
/SAPSLL/BOPHD (GTS: Bill of Product ) – Bill of Materials for Restitution Handling
■
/SAPSLL/BP (Business Partner )
■
/SAPSLL/CTSGEN (Legal and Logistics Services: Customs Tariff Numbers ) – Tariff Numbers
■
/SAPSLL/CUHD (SLL: Customs Document / Shipment ) – Customs Documents, Customs Declarations and
Customs Shipments ■
/SAPSLL/CUPED (GTS: Header for Period Entries) – Supplementary Customs Declaration
■
/SAPSLL/LCLIC (SLL: Legal Control: License) – License for Legal Control in the Compliance
Management Area ■
/SAPSLL/LCPRO (Project Master ) – Projects for License Assignment in Legal Control in the Compliance
Management Area ■
/SAPSLL/LC_CUSB (GTS: Duty Rates) – Customs Duty Rates
■
/SAPSLL/PR – (Customs Product )
■
/SAPSLL/PREVD (GTS: Vendor Declarations) – Long-Term Vendor Declarations
2012-06-15
PUBLIC
41 /52
11
■
Trace and Log Files
/SAPSLL/TSPL (Legal & Logistics Services: LC: SPL Master (Header Data) ) – Master Data for Sanctioned
Party List Screening in the Compliance Management Area For information about the use of change documents in gen eral, see SAP Library for SAP NetWeaver at http://help.sap.com/nw703
Function-Oriented View SAP NetWeaver by Key Capability Application
Platform by Key Capability ABAP Technology
ABAP Workbench (BC-DWB) BC Extended Applications Function
Library.
42 /52
PUBLIC
2012-06-15
12
Other Security-Relevant Information
12 Other Security-Relevant Information
Virus Checking of Document Attachments
SAP Global Trade Services provides the opportunity to check documents that are attached to messages or XML files for data upload with a virus scanner before they are stored in the data base. For checking uploaded files against viruses, the following virus scan profiles that are delivered by SAP must be activated: ■
●
/SCET/GUI_UPLOAD
■
●
/SIHTTP/HTTP_UPLOAD
To use these profiles, you must have configured a virus scanner correctly. For more information, see SAP Customizing in your SAP Global Trade Services by entering transaction code SPRO and choosing SAP Reference IMG SAP NetWeaver Application Server
System Administration Virus Scanner Interface .
In addition, refer to the following SAP Notes about configuration information for the virus scanner interface. ■
797108 (Virus scan interface (VSI): Changes and releases )
■
851789 (Virus-scan-profiles delivered by SAP )
■
817623 (Integrating a virus scan in SAP applications )
Activated virus scan profiles without a correctly configured virus scanner result in error messages during the file upload in SAP Global Trade Services.
2012-06-15
PUBLIC
43 /52
This page is left blank for documents that are printed on both sides.
A
Appendix
A.1
Additional Related Guides
A Appendix
A.1 Additional Related Guides You can use the following guides for SAP Global Trade Services for additional information about the system landscape and its requirements: ■
Master Guide
■
Operation Guide
■
Configuration Guide
You can access these guide on SAP Service Marketplace at Installations and Upgrades and Compliance
Installations and Upgrades
SAP Global Trade Services
http://service.sap.com/swdc
SAP
Installation and Upgrade Guides Analytics Governance, Risk
You can find more guides related to the SAP NetWeaver platform on SAP Service Marketplace at http://service.sap.com/installnw703
2012-06-15
.
PUBLIC
45 /52
This page is left blank for documents that are printed on both sides.
B
Reference
B.1
The Main SAP Documentation Types
B Reference
B.1 The Main SAP Documentation Types The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software. Cross-Phase Documentation
SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as
well as many glossary entries in English and German. ■
Target group: ●
■
Relevant for all target groups
Current version: ●
On SAP Help Portal at
http://help.sap.com
Additional Information Glossary (direct
access) or Terminology (as terminology CD) ●
In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes. ■
■
Target group: ●
Consultants
●
System administrators
●
Project teams for implementations or upgrades
Current version: ●
On SAP Help Portal at http://help.sap.com
The security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available f or SAP NetWeaver. This document contains general guidelines and suggestions. SAP applications have a security guide of their own. ■
■
Target group: ●
System administrators
●
Technology consultants
●
Solution consultants
Current version: ●
On SAP Service Marketplace at http://service.sap.com/securityguide
Implementation
The master guide is the starting point for implementing an SAP solution. It lists the required installable units for each business or IT scenario. It provides scenario-specific descriptions of preparation,
2012-06-15
PUBLIC
47 /52
B
Reference
B.1
The Main SAP Documentation Types
execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes. ■
■
Target group: ●
Technology consultants
●
Project teams for implementations
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
The installation information describe the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any businessrelated configuration. ■
■
Target group: ●
Technology consultants
●
Project teams for implementations
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
Configuration Documentation – is available in SAP Solution Manager or as Configuration Guides.
SAP Solution Manager is a life-cycle platform. One of its main functions is the configuration of business and IT scenarios. It contains Customizing activities, transactions, and so on, as well as documentation. ■
■
Target group: ●
Technology consultants
●
Solution consultants
●
Project teams for implementations
Current version: ●
In SAP Solution Manager
●
For Configuration Guides at
http://service.sap.com/swdc
Installations and Upgrades - Entry by Application Group SAP Global Trade Services
SAP Installations and Upgrades
SAP Solutions for Governance, Risk and Compliance
Installation and Upgrade .
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. The Customizing activities and their documentation are structured from a functional perspective. (In order to configure a whole system landscape from a process-oriented perspective, SAP Solution Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.) ■
■
Target group: ●
Solution consultants
●
Project teams for implementations or upgrades
Current version: ●
48 /52
In the SAP menu of the SAP system under
Tools
PUBLIC
Customizing
IMG
2012-06-15
B
Reference
B.1
The Main SAP Documentation Types
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore, master data maintenance, transports, and tests. ■
Target group: ●
■
System administrators
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
The solution operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks. ■
■
Target group: ●
System administrators
●
Technology consultants
●
Solution consultants
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
Upgrade
The upgrade information in the master guide is the starting point for upgrading the business and IT scenarios of an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an upgrade. It also refers to other documents, such as the u pgrade guides and SAP Notes. ■
■
Target group: ●
Technology consultants
●
Project teams for upgrades
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
The upgrade information describe the technical upgrade of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration. ■
■
Target group: ●
Technology consultants
●
Project teams for upgrades
Current version: ●
On SAP Service Marketplace at http://service.sap.com/instguides
Release notes are documents that contain short descriptions of new features in a particular r elease or
changes to existing features since the previous release. Release notes about ABAP developments are the
2012-06-15
PUBLIC
49 /52
B
Reference
B.1
The Main SAP Documentation Types
technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG). ■
■
Target group: ●
Consultants
●
Project teams for upgrades
Current version: ●
On SAP Service Marketplace at http://service.sap.com/releasenotes
●
In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
Documentation in the SAP Service Marketplace
You can find this document at the following address: http://service.sap.com/securityguide
50 /52
PUBLIC
2012-06-15