SAP Security - Solution Manager

SECURI SE CURI TY GUI DE S A P So So l u t i o n Manager 7.0 as of SP16

Scenarios:

Target Audience 

Technology consultants



System administrators administrators



Service Desk



Implementation Implementation of SAP Solutions



Upgrade of SAP Solutions



Change Management



Solution Monitoring



Delivery of SAP Services



Root Cause Analyses

April 2008

SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 3 4 20 www.sap.com

© Copyright 2008 SAP AG. All rights reserved.

JAVA® is a registered trademark of Sun Microsystems, Inc.

No part of this publication may be reproduced or transmitted in any

J2EE™ is a registered trademark of Sun Microsystems, Inc.

form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc.,

notice.

used under license for technology invented and implemented by Netscape.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,

®

®

®

®

®

®

Microsoft , WINDOWS , NT , EXCEL , Word , PowerPoint and

Management Cockpit, mySAP, mySAP.com, and other SAP products

®

SQL Server are registered trademarks of Microsoft Corporation.

and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in

®

®

®

®

IBM , DB2 , DB2 Uni versal versal Database, OS/2 , Parallel Sysplex ,

several other countries all over the world. MarketSet and Enterprise

MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries,

Buyer are jointly owned trademarks of SAP Markets and Commerce ®

pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere , ®

®

TM

®

Netfinity , Tivoli , Informix and Informix Dynamic Server

One. All other product and service names mentioned are the trademarks of their respective owners.

are

trademarks of IBM Corp. in USA and/or other countries. ORACLE ® is a registered trademark of ORACLE Corporation.

Disclaimer Some components of this product are based on Java™. Any code

®

®

®

®

UNIX , X/Open , OSF/1 , and Motif are registered trademarks of

change in these components may cause unpredictable and severe

the Open Group.

malfunctions and is therefore expressively prohibited, prohibited, as is any decompilation of these components.

®

®

®

®

Citrix , the Citrix l ogo, ogo, ICA , Program Neighborhood , MetaFrame , WinFrame®, VideoFrame®, MultiWin® and other Citrix product names

Any Java™ Source Code delivered with this product is only to be used

referenced herein are trademarks of Citrix Systems, Inc.

by SAP’s Support Services and may not be modified or altered in any way.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Documentation in the SAP Service Marketplace You can find this documentation at the following address: http://service.sap.com/instguides

Security Guide: SAP Solution Manager 7.0

T y p o g r a p h i c Co Co n v e n t i o n s Type Style Example Text

Represents Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation

E xa xampl e text

Emph as as iz ized wo words or p hr hras es es in b od od y text, titles of graphics and tables

EXAM EXAMPL PLE E TEXT TEXT

Name Names s of of ele eleme ment nts s in in the the syst system em.. The These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text

Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.

Example text

Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

EXAMPLE TEXT

Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Icons Icon

Meaning Caution Example

Note Recommendation Syntax

April 2008

3

Security Guide: SAP Solution Manager 7.0 as of SP16

Content Content Content ...................................................................................................................................................................... 4 History History of Changes.................................................................................................................................................... Changes.................................................................................................................................................... 5 Quick Links Links to Additio Additional nal Informatio Information n .................................................................................................................... 6 Recommendat Recommendations ions for for Additional Compone Components nts ........................................................................................................ 6 Introdu Introduction ction .............................................................................................................................................................. 8 System System Landscape Landscape ..................................................................................................................................................... 8 Network Network and Commun Communication ication Security ...................................................................................................................10 User Administr Administration ation and Authen Authenticati tication.................................................................................................................14 on.................................................................................................................14 Authorizations..........................................................................................................................................................16 Backgroun Backgroundjob djobss .......................................................................................................................................................39 Trace and Log Files..................................................................................................................................................43 APPENDIX...............................................................................................................................................................44 Security Security Parameters for Individual Individual Scenarios Scenarios ..........................................................................................................44 Examples Examples Authorizat Authorization ion Restrictio Restriction........................................................................................................................46 n........................................................................................................................46

4

April 2008


History of Changes This Security Guide is updated with each new Support Package Stack in SAP Service Marketplace at service.sap.com/instguides -> SAP Components -> SAP Solution Manager -> . This document is not included as part of the Installation Guide, Configuration Guide, Sizing Guide or Upgrade Guide. These guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases. phases . The Solution Manager is built on mySAP Customer Relation Management 2005 and SAP NetWeaver. Therefore, the corresponding Security Guides also apply to the Solution Manager. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below. For a complete list of the available SAP Security Guides, see the Quick Link: securityguide on the SAP Service Marketplace. Information on Solution Manager Diagnostics may not be complete in this Guide. For security topics on Diagnostics, see: service.sap.com/diagnostics -> Installation and Upgrade. Make sure you have the latest version of the Security Guide. The following table provides an overview of the most important changes that were made in the latest versions: Date of Update

Topic

SP15 06.02.2008

This Security Guide is based on the currently available Guide: Authorization Concept of SAP Solution Manager as of SP09 Topic on Authorization moved from Configuration Guide to Security Guide and/or IMG (transaction SPRO), e.g. roles moved to additional documentation in IMG documents (e.g. roles for scenario Issue Management can be found either in overview on roles in Security Guide or in more detail in the according IMG documentation for Issue Management) New roles for solution authorization. Authorization object D_SOL_VSBL is now included in roles SAP_SM_SOLUTION_*. The authorization object is deactivated in all other roles. See chapter: Roles in Solution Manager. for an overview. It needs to be granted in addition to the role for the functionality, e.g Maintenance Optimizer. See examples in the APPENDIX New roles for: 

Job Scheduling



Issue Management

Maintenance Optimizer (additional) See chapter: Roles in Solution Manager. 

New roles for Work Center approach, see chapter Work Center Roles and the according example. Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. See chapter Communication Destinations. Destinations. SP16

New roles for: - Solution Documentation Assistant See chapter: Roles in Solution Manager. and chapter Work Center Roles - Third Party Product: BMC AppSight for SAP Client Diagnostics See chapter: Roles in Solution Manager.

28.04.2008

Name change: SAP Solution Manager 4.0 becomes SAP Solution Manager 7.0

April 2008

5


Documentation Documentation types in the software life cycle:

For a detailled overview on which documentation is relevant for each individual phase, see SAP Note 1088980. 1088980. We strongly recommend that you use the documents available here. The guides are regularly updated.

Quick Links to Additional Information Content

Note... Security

service.sap.com/security

Security Guides

service.sap.com/securityguide

Related SAP Notes

service.sap.com/notes

Technical infrastructure/ Network security

service.sap.com/network

SAP Solution Manager

service.sap.com/solutionmanager

Recommendations for Additional Components The following table lists further useful information for additional components: Content

Note...

Diagnostics

See the according documents for installation and configuration service.sap.com/diagnostics

System Landscape Directory

service.sap.com/sld

Software Lifecycle Manager

service.sap.com/slm

Adobe Document Services

service.sap.com/adobe

Business Intelligence

service.sap.com/bi

6

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 SAP Quality Center by HP

service.sap.com/solutionmanager

SAP Redwood Job Scheduling

service.sap.com/job-scheduling

Master Guide SAP NetWeaver 7.0

service.sap.com/installNW70

One Transport Order Help on Application Usage for Solution Manager; Links to further documentation for SAP NetWeaver, SAP Business Suite Help on SAP NetWeaver (ABAP and Java) for additional components

April 2008

service.sap.com/solutionmanager -> Media Library -> Technical Papers help.sap.com

help.sap.com/nw70 -> Functional View -> Solution Lifecycle Management -> Software Lifecycle Management

7


Introduction This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations. With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Solution Manager.To assist you in securing SAP Solution Manager, we provide this Security Guide. Therefore, when analyzing the security risk for Solution Manager and your system landscape, you should be able to answer the following questions: 

What are your security requirements in regard to availability, confidentiality and data integrity?



Are there any threads (and their relevance) that could compromise your security?



What are the measures (and costs) that are to be undertaken to safeguard the system?

System Landscape Architecture Solution Manager is working with the ABAP and the Java (Solution Manager Diagnostics only) stack. It is running on a SAP CRM-5.0 Server. To use Solution Manager you need SAP GUI or Web Browser (in case of work center functionality). Communication with other systems is working via RFC technology and via Web Services. For more information on the appropriate usage types, see Master Guide Solution Manager on service.sap.com/instguides -> SAP Components -> SAP Solution Manager -> . The figure below shows an overview of the the technical system landscape for the Solution Manager (including its satellite systems and SAP Service and Support). Content Devel opment at S AP

Solution Manager System

SAP Se rvice & Suppo rt

R

R

Business Process Repository (BPR)

Support Desk SAP Solution Manager

Service Delivery

R

R

R

R Product Planning and Maintenance System (PPMS)

R

Software Lifecycle Management (SLM)

R

Master Component Repository (MCR)

R

R

R

System Landscape Directory (SLD)

R

Change Request Manager

Knowledge Warehouse (KW)

Problem Message Handling

CRM Server R

R R

SAP Change Manager

Computing Center Management System (CCMS)

Satellite System(s) Process Management Infrastructure (PMI)

8

Computing Center Management System (CCMS)

Service Data Control Center (SDCC)

Implementation Guide (IMG)

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Scenarios Solution Manager is a tool which supports your whole product life-cycle, that is the life-cycle of your business processes and systems within ONE single system/platform. According to these aspects of the product lifecycle, various scenarios can be differentiated. A scenario describes a grouping of functionalities which support the sequential and logical relationships of processes within the life-cycle of the product. Therefore, we differentiate between scenarios (e.g. 1. Implementation/Upgrade of SAP Solutions), processes (e.g. Roadmap) and additional functionalities (e.g. Document Management). Implementation/Upgrade of SAP Solutions Roadmap Project Management Business Blueprint Configuration

Solution Monitoring

Test M an ag emen t

Earl yW atch Alert

E-L ear ning

Ser vic e Level Report ing

S ol oluti on on Doc um umentati on on Assistant

System Ad mi ministr at ati on on

Change Management

System Monitoring

Mainten anc e O pti mizer

Bus. Pr oc ess Monitori ng

Ch ang e Requ est Managemen

Sol ution Rep orti ng Job Scheduling

Service Desk Service Desk Standard Usage

Delivery of SAP Services

Servic e Pr ovid ers

Issu e Man agement

Third P art y Int erf ac e

Onsite/Remote S ervic e

Root Cause Analyses

Service Plan Expert-on-Demand

------------------------------------------------------------------------------------------------------------------------PLUS System System Landscape Landscape (SMSY) Service Data Control Center (SDCCN) Solution Solution Design (SOLMAN_DIRECTORY) (SOLMAN_DIRECTORY) Customizing Distribution Rollout Work Center BI - Analysis Third Party Product Integration

April 2008

9


Network and Communication Security Network Topology Your network infrastructure is extremely important in protecting your system. It needs to support the communication necessary for your business and your needs without allowing unauthorized access. A welldefined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager. Communication Communicati on Channels The table below shows the communication channels used by the Solution Manager, the protocol used for the connection, and the type of data transferred. Communication Communication Channel

Protocol used

Type of Data transferred

S ol uti on Man ager to OSS

RFC

E xchan ge of Pr oblem mess ages, Retr i eval of Services

Solution Manager to OSS Secure Area

HTTP(S)

Logon data to systems opened for SAP Support

Solution Manager to Satellite Systems and back

RFC

see chap ter RFC connections

Solution Manager to SAP Service Marketplace

HT TP(S)

S earc h f or not es

Solution Manager Support Desk to Third Party Support Desks

SOAP

Pr ob lem Mess ages

S ol ution Manager to Qu ality Center b y HP

SOAP

Test R equirements

10

April 2008


Communication Destinations The figure below shows an overview of the communication destinations used by Solution Manager (including its satellite systems, Third Party Products and SAP Service and Support):

SA P

Customer http (s)

SAP SMP

http (s) SAP System s

RFC BPM_LOCAL_ RFC RFC RFC OSS (O01)

SA P Solution

SAPOSS SAP-OSS

Manager

SAP-OSS-LIST-O01 SDCC-OSS Third Party Products

SM_CLNT_LOGIN SM_CLNT_READ SM_CLNT_TRUSTED SM_CLNT_TMW

RFC SM_CLNT_BACK

The table below shows an overview of communication destinations used by the Solution Manager for RFC communications. RFC Destination Name

Target Host Name

System Number

Logon Client

Logon User (Password)

Use (S (Scenario)

How Cr Created

Notes As Assistant

Maintain te tech nic al settings in transaction “OSS1”

To SAPNet R/3 Frontend SAPOSS (ABAP /H/SAPROUTER connection) /S//sapserv /H/oss001

01

00 1

OSS_RFC (CPIC)

SAP-OSS (ABAP /H/SAPROUTER connection) /S//sapserv /H/oss001

01

00 1

S-Us er (Customerspecific)

SAP-OSS-LIST- /H/SAPROUTER O01 (ABAP /S//sapserv connection) /H/oss001

01

00 1


Retrieve information about which messages have been changed at SAP (Scenario: Service Desk)

Transaction SM59

(will be generated) See

Used by the Service Data Control Center to

A copy of the SAPOSS

SDCC_OSS (ABAP connection)

April 2008

Exchange problem messages messages Transaction with SAP (Scenario: Service SOLUTION_MAN Desk); Synchronize System AGER; Menu path: Edit->Global Data with Support Portal and Settings send data about satellite systems (SMSY); Transfer of Solution, Issue data transfer feedback to SAP (Scenario: Service Delivery); Service Connection

11

Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Destination Name

Target Host Name

System Number

Logon Client

SAP Note 763561

SAPNET_RFC /H/SAPROUTER (ABAP connection) /S//sapserv /H/oss001

01

SAP-SMP (HTTP Target host: connection) websmp230.sapag.de; Service no. 80; Path prefix: /sap/bc/bsp/spn/ swdc/slm/ SAPNET_RTCC /H/SAPROUTER (ABAP connection) /S//sapserv X/H/oss001

01

Use (S (Scenario)


00 1

OSS_RFC (CPIC)

00 1


00 1

OSS_RFC (CPIC)

How Cr Created

communicate with the SAP Net destination to R/3 Frontend system; Update SDDC_OSS; a Service Definitions (Sc enarios: enarios: new user is used Solution Monitoring for EWA SDCC_NEW with and Service Plan) Password: download. Send EarlyWatch Alerts (Scenarios: Solution Monitoring for EWA and Service Plan)

A copy of the SAPOSS destination to SAPNET_RFC

To send an up-to-date version Transaction SM59 of the component ST-SER for delivery of Services by SAP Active Global Support (Scenario: Service Delivery)

Service Preparation Check (RTCCTOOL) (Scenario: Service Delivery)

Created automatically by RTCCTOOL. copy of SAPOSS



_/sapserv /H/oss001

01

00 1

S-Us er (Customer specific no authorization needed)

Service Desk -> Value Added Reseller

You automatically create customer RFCs based on RFC SAP-OSS via SAP-OSS via Report

To Satellite System from Solution Manager System SM_CLNT_LOGIN (ABAP connection)

Custo Custome merrspecific

Customerspecific

empty

SM_CLNT_READ (ABAP connection)

Sate Satelllite lite Systemspecific

Satellite System specific

Default user: SOLMAN (will be generated)

for read access Scenarios: Solution Monitoring and Implementation and Distribution

Transaction SMSY

SM_CLNT_TRUSTED (ABAP connection)

Sate Satelllite lite Systemspecific

Satellite Systemspecific

empty

Log on thr ough a trusted connection

Transaction SMSY

SM_CLNT< Satellite System Satellite client>_TMW Systemspecific (ABAP connection)

Satellite System specific

E xec ute Tr ans acti ons

Transaction SMSY

Scenarios: Solution Monitoring and Implementation and Distribution

Scenarios: Solution Monitoring and Implementation and Distribution Default user: For creating, releasing SOLTMW transport requests (will be generated)

Transaction SMSY

From Satellite System to Solution Manager System SM_CLNTBACK Manager System specific (ABAP connection)

Customerspecific

Default user: Send Service Desk messages, Transaction SMSY SOLMAN send session data, check locked customizing objects (will be generated) Scenarios: Service Desk, Solution Monitoring and Implementation and Distribution

Local System (Solution Manager)

12

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Destination Name

Target Host Name

System Number

BPM_LOCAL_ (ABAP connection)

empt y

em p t y

Logon Client


Use (S (Scenario)

How Cr Created

Cli ent us ed SM_BPMO Business Process Monitoring During Business (Scenario: Solution Monitoring) for Business (CustomerProcess specific) Monitoring Setup Process Monitoring SAP_SM_BPMO _COMP includes SAP_SM_S_CS MREG (acc.to profile: S_CSMREG), SAP_SUPPDES K_CREATE and SAP_IDOC_EVE RYONE CSMREG

CCMSPING.

Service Level Reporting with CCMSping (Registered Server Program-> ProgramID:.ccmsping .00)

You can find the current list of all ports used by SAP in the following document "TCP/IP Ports Used by SAP Applications". You can find the document in SAP Service Marketplace: service.sap.com/ security security -> Security in Detail -> Infrastructure Security. The following table displays all used TCP/IP Default Ports for Solution Manager Diagnostics: System ABAP Gateway

HTTP Port of J2EE Engine P4

Ports used on Solution Manager Diagnostics Server

Open in SAProut tab

5nn00 (nn: instance no. of managed system), e.g. 50200

X

33nn (nn: instance no.), e.g. 3301 5nn00 (nn: instance no. of SMD), e.g. 50100 5nn04 nn: instance no. of SMD), e.g. 50104

Database Introscope

6001 (Listener port)

LoadRunner

5001 (Load Generator)

J2EE standalone logviewer

Ports used on each monitored Satellite System

depends on DBMS, e.g. 1433 on MS SQL Server 6001 26000 For details, refer to Advanced Diagnostics Setup Guide

SSL (Secure Socket Layer) for HTTP - Connections BSP Applications and WebDynpro technology Interfaces maintenance such as BSP and WebDynpro need HTTP/S. Web Dynpro for ABAP or Web Dynpro for ABAP (WD4A, WDA) is the SAP standard UI technology for developing Web applications in the ABAP environment. Most scenarios in Solution Manager use either BSP or WebDynpro technology. The Internet Communication Framework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAP system (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) to operate communications between systems through the Internet. You do not need any additional SAP program libraries (other than the SAP Web Application Server). The only condition is that your system platform is Internet-compliant. This scenario gives you a maximum amount of flexibility in responding to varying communication requirements. Communications operated through the ICF have the following benefits: 

Increased security: The HTTPS protocol guarantees secure data transmission at the same level as modern security standards for RFC/SNC communication and other interfaces.

April 2008

13

Security Guide: SAP Solution Manager 7.0 as of SP16 

Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the Internet from any location. After you install the Web Application Server, all Internet Communication Framework (ICF) services are delivered as inactive for security reasons. To activate them, see IMG for Solution Manager -> Basic Settings -> Standard Configuration -> Activate HTTP Services (transaction SPRO).

Reduced technological barriers: The open HTTP standard is used worldwide, which makes it efficient to install and configure. Setting up SSL 

It is strongly recommended to set up SSL for NetWeaver AS and Java (e.g. Maintenance Optimizer and SLM it is necessary). See: Online Help on System Security for SAP Web AS ABAP and Java on Java on service.sap.com/security -> Media Library -> Literature.

Relevant information sources Information Source

Note

SAP Note 510007

Setting Up SSL on the Web Application Server (Procedure on how to set up SSL)

SAP Note 1000000

Web Dynpro ABAP FAQ (General authorization checks for services and application are available over the ICF)

SAP Note 938809

Web Dynpro ABAP checklist for creating problem mesasges (If you create an error message for WebDynpro ABAP under component BC-WD-ABA, see the checklist in SAP Note)

SAP Note 810159

Subsequent installation of SAP JAVA CRYPTO TOOLKIT

Application help for security topics connected connected to ICF - Services

help.sap.com/nw2004s

Installation Guide

service.sap.com/instguides -> SAP Components -> SAP Solution Manager .

System Security for SAP Web AS ABAP and Java (Help Java (Help on setting up system security for ABAP and Java)

service.sap.com/security -> Media Library -> Literature

HTTP Connect Service for SAP Support Due to the firewall between customer systems and SAP systems it is not possible to display pages of BSPs or WebDynpro applications in SAP Solution Manager using standard Service or Support connections. To receive Support from SAP for these technology types you need to set up an HTTP Connect Service. To do so, follow the descriptions in SAP Note: 1072324 1072324.. You need to maintain this connection for onsite and remote support. To secure this HTTP to remote support you should secure with HTTPS.

User Administration and Authentication General The Solution Manager uses the User Management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP Web Application Server ABAP. If you use the Solution Manager Diagnostics, the user management and authentication mechanisms provided with the SAP Web Application 14

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Server Java are used, too. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and the SAP NetWeaver Application Server Java Security Guide also apply to Solution Manager. User Management Tools User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver Application Server ABAP and Java, for example, tools (ABAP: SU01 and Java: UME), user types, and password policies. For an overview of how these mechanisms apply for the Solution Manager, see the sections below. In addition, we provide a list of the standard users required for operating the Solution Manager. As the mechanisms provided by the SAP NetWeaver Application Server Java only apply for Solution Manager Diagnostics consult the according Guide on service.sap.com/diagnostics . Standard Users The table below shows the standard users that are necessary for operating the Solution Manager. Logon User (Password)

Use

OSS_RFC (CPIC)

N otes Assistan t

S-User (Customerspecific)

Exchange problem messages with SAP; Retrieve information which messages have been changed at SAP

SOLMAN (Customer-specific)

For Read access; Scenarios: Solution Monitoring, Implementation and Distribution; Service Desk; Change Management

Transaction SMSY, automatically generated

See chapter: chapter: RFCConnections READ, TMW, BACK

SOLTMW (Customer-specific)

Change R eq uest Man ag emen t

Trans acti on SMS Y, automatically generated

See chapter: RFCConnections READ, TMW, BACK

Transaction SMSY, automatically generated

See chapter: chapter: RFCConnections READ, TMW, BACK

RZ10

S ee chapter: RFCConnections READ, TMW, BACK and Background Users

SOLMAN<_Version> (Customer-specific) CSMREG (Customerspecific)

For data collection (to get CCMS alerts)

How Created

Required Roles (Authorizations)

The S-user for the SAP See chapter: S-User Support Portal is requested via authorizations www.service.sap.com.

Only required if SMSY is not used to generate RFC destinations; Business Process Monitoring; required, if CCMSPing for Service Level Reporting in scenario Solution Monitoring is used

OSS_R OSS_RFC FC (CP (CPIC IC))

Note Notes s Assista Assistant nt ; Up Updat date e Service Service Defin Definit ition ions; s; Service Preparation Check (RTCCTOOL)

SLDAPIUSER (Customer-specific)

To send data from SAP Solution Manager to SLD

Duri ng instal lati on

-

SAPJSF (S er vic e Us er)

To r ead d ata fr om SLD

Duri ng inst al lati on

SAP_B C_JSF _COMMUNICAT ION_RO

Duri ng ng in inst al al la lat io ion

SAP_B C_ C_ AI AI_ LA LANDSC AP APE _D _D B_RFC; SAP_J2EE_ADMIN

Duri ng instal lati on

SAP_J2 EE_GU EST

Service User J2EE_ADMIN (Customer-specific)

Context: Application integration infrastructure (SLD): (SLD): User, who is able to write on the database tables of the SAP System Landscape Directory (SLD). User who makes the RFC calls from the SLD. Context: J2EE Administration; user who has administrator rights in a connected SAP J2EE Engine. Engine. Used to attach a l ocal UME to the central ABAP user management.

Service User J2EE_GUEST

Users who have guest authorizations in a connected SAP J2EE Engine. Engine.

(Customer-specific)

April 2008

15

Security Guide: SAP Solution Manager 7.0 as of SP16 Integration into Single Sign-On Environments (SSO) SAP Solution Manager uses different front ends (SAP GUI and Web browser - in this case, an HTML Control). Multiple sessions are opened on the server that require, for example, a second logon. The user uses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSP application, and the system then prompts the user to reenter the logon data. The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide (SAP Library) also apply to the SAP Solution Manager. The supported mechanisms are listed below: 

Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls. For more information, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Security Guide.



SAP logon tickets The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. In this case, users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the system as an authentication token each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information on how to use Single Sign-On on the SAP Service Marketplace go to: service.sap.com/sso-smp.

Authorizations Authorization Concept in General For ABAP Systems Authorizations can be displayed by roles (for systems with Basis >= WebApplication Server 6.10) or profiles (for systems with Basis =WebApplication Server 6.10, 6.10 , an authorization is based on specific transactions and so-called authorization objects which are inherently connected to these transactions or programs. Authorization objects consist of authorization fields. A role is always assigned to one or more authorization profiles by the profile generator (transaction PFCG). As of basis release
April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 SAP Solution Manage Managerr Authorization Concept This paragraph covers information on general concepts in regard to roles and authorizations. In this respect, it refers to both background users and automatically applied profiles as well as the individual scenarios and the roles used which are relevant for SAP Solution Manager and its satellite systems. Before starting to assign any roles to users, you are strongly adviced to create a thorough authorization concept. The roles mentioned in this document are delivered by SAP as template roles with a number of default values, which you need to customize according to your individual needs. All values that are generic and individual for your company, you have to maintain according to your authorization concept. The SAP Solution Manager authorization concept is based on the overall SAP authorization concept which is relevant for all SAP systems. As SAP Solution Manager 7.0 is based on SAP Netweaver Application Server (Application Server ABAP and Application Server Java), we recommend that you configure the User Management Engine of the Java application to use the ABAP user management (transaction SU01) of the Application Server ABAP (see SAP Reference Implementation Guide; transaction SPRO).The UME of the Application Server Java is configured against the user management of the Application Server ABAP. SAP role assignments appear as user-to-group assignments in the UME administration console. Therefore, you have to have set up UME groups, which correspond to roles of the Application Server ABAP (PFCG roles). In the UME administration console, you cannot assign users or groups to the groups that correspond to SAP ABAP roles. These groups are read-only in the J2EE engine, with the exception that you can assign UME roles and security roles to them. The following figure illustrates the integration of J2EE Engine security roles, UME roles, and SAP roles. Object

Recommended Tool

Users

Use transaction SU01 in the ABAP system(s).

PFCG roles

Use the Profile Generator (transaction PFCG) in the Solution Manager system.

J2EE security roles and UME roles

(Only applies to Java application) Use the UME administration console to manage UME roles and the Visual Administrator of the Application Server Java to manage J2EE security roles. roles. Both of these tools are part of Applicat A pplication ion Server Java. To integrate the Java-based authorizations supplied by J2EE security roles and UME roles with PFCG roles, you can integrate PFCG roles as groups in Application Server Java.

RFC Connect Connection: ion: Trusted To work with a heterogeneous system landscape with SAP Solution Manager as the managing platform you need to create RFC connections between SAP Solution Manager and the various Satellite systems (component systems). The appropriate Satellite or component system needs to be made known in the SAP Solution Manager Manager system as so-called “Trusted “Trusted System” and vica versa. versa. In other words, words, the server system "trusting system" (SAP Solution Manager system) trusts the user administration of the client system "trusted system" (Satellite system). Trusted systems can log on to the so-called “Trusting System” without password. User specific data are controlled in the trusting system. This is called a trusting trusted RFC connection. You generate this RFC connection in the SAP Solution Manager within the transaction SMSY. Trusted RFCs need to be maintained from both sides, that is Solution Manager to Satellite system and Satellite system to Solution Manager system. In order to communicate successfully with each other both SAP Solution Manager and the appropriate Satellite system need to have the same username created username created in their user administration (transaction SU01).

April 2008

17


If you use SAP router between Solution Manager and satellite systems you might have problems in some functiona f unctionalities, lities, e.g:. BSP Applications. RFC which should open a new window (session). To solve these issues, see SAP Note 555162 Authorization Object S_RFCACL To be able to create the trusted RFC connection you need to have the authorization object S_RFCACL assigned in the Solution Manager and in the Satellite system for this current user. The role SAP_S_RFCACL (as of SAP NetWeaver Application Server 7.00) contains the authorization object S_RFCACL which consists of a number of authorization fields which allow a trusting trusted relation between SAP Solution Manager and any Satellite system. Due to the high potential risk of such an RFC connection the authorization object S_RFCACL is not included in SAP_ALL. In order to restrict user access you need to maintain for this authorization object field "RFC_US "RFC_USER" ER" with the value ' '. The trusting RFC destination usually has the 'Current User' setting in SM59. Fore more information, see: help.sap.com/nw70 help.sap.com/nw70.. Authorization errors in the usage of an RFC destination with set 'Trusted Systems' indicators are documented by the following message: "No Authorization to logon as Trusted System (Trusted RC = #). Every authorization error when using an RFC Destination with a set 'Trusted Systems' indicator is designated as a RABAX (ABAP Exception). This RABAX contains detailed error information. Proceed as follows to analyze the error: 1. Choose Transaction ST22 and the desired selection period. 2.

Choose the corresponding entry under under the User SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. In the paragraph, 'Troubleshooting' you will find all the necessary information to correct the error.

Return code Returncode

explanation

To do

0

Invalid logon data (user and client) for the Trusting System

Create a corresponding user in the Client system for the user in the Server System (Trusting System)

1

The calling system is not a Trusted System, or the security ID I D for the System is invalid.

Create the Trusted RFC again.

2

The user has no authorization containing the authorization object S_RFCACL or is logged on as the protected user 'DDIC' or SAP*'.

Either supply the user with the corresponding authorization or do not use the protected users 'DDIC' or SAP* (see profile paramter and value: login/no_automatic_user_sapstar = 0)

3

The time stamp of the logon data is invalid.

Check the system time on the client and on the server and the validity date of the logon data. The system times of both systems have to be synchronised.

Now, you can start to setup your system landscape with SAP Solution Manager as the central platform.

18

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Connections READ, TMW, BACK Before you can use all mentioned scenarios you need to set up your System Landscape in the Solution Manager, which includes: 

defining all your systems (referred to as Satellite systems),



creating appropriate logical components,



assign your Satellite systems to the logical components,



set up your solution design.

The transfer of data between SAP Solution Manager and its Satellite systems is managed by according RFC connections: 







READ (SM_ (SM_CLNT< CLNT Client> _READ): _READ): Used for transfer of data, eg. in Customizing Distribution, Change Request Management, Service Desk, Root Cause Analysis, Monitoring. SID and Client refer to the connected satellite system. TMW (SM_ (SM_< SID>CLNT< CLNT Client> _TMW): _TMW): Used for Change Request Management, used to allow remote creation of transport requests with tasks for the designated developers in the development systems. SID and Client refer to the connected satellite system. TRUSTED (SM_ (SM_CLNT< CLNT Client> _TRUSTED): _TRUSTED): Enables e.g. customizing data transfer from the source to the target system and to enter analyses transactions for System Monitoring and Business Process Monitoring (as described in chapter: RFC Connection: TRUSTED). TRUSTED). SID and Client refer to the connected satellite system. BACK (SM_ (SM_CLNT< CLNT Client> _BACK): _BACK): Used to send SDCCN data or send messages from a satellite system to the SAP Solution Manager system; to check locked customizing objects against changes in scenario Customizing Distribution; provides integration of Change Request Management into the Service Desk. This RFC destination needs a functioning READ destination. SID and Client refer to the SAP Solution Manager system.

In order to create them as easily as possible, the system generates so-called automatically created background users for the appropriate RFC connection needed, when you execute the RFC generation in transaction SMSY. These users are automatically assigned the according profiles to allow a smooth data transfer. In the following screen shot you can see three screen partitions: 

RFCs from the Solution Manager to the Satellite system



RFCs from the Satellite system to the Solution Manager



RFCs that are to be generated, including RFCs for System Monitoring: information retrieval via the RFC Destination for Data Collection and Collection and analysis via RFC Destination for Analysis.

April 2008

19


As you can see for the READ, TMW and BACK RFC connections, the system provides you with a user, which will automatically be created in the Satellite system as soon as you generate this RFC connection. These users are also automatically assigned the according profiles. In case you want to use an already existing user of your Satellite system, you would enter this user and specify the password or not. In this example, DT1 CLNT 800 is the Solution Manager system and ID3 CLNT 800 is the Satellite system, users and password will be automatically generated by the system.

20

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Profiles Assigned to Background System Users User

Role (Re leas e >= 6.10) in Satell ie system

Profile (< 6.10) in Satellite system

SOLMAN

SAP_S _CUS _CMP

S_CUS _CMP

D at a read acc ess

SAP_S_CMSREG

S_CMSREG

Centr al s ystem rep osi tor y data

SAP_S_BDLSM_READ

S_BDLSM_RE AD

SAP_SATELLITE_E2E

S_AI_SMD_ E2E

End- to- En d Diag nos e (S ol ution Manager Diagnostics)

SAP_SM_S _USER_GRP

S_USER _GRP

Us er Gr oup Displ ay of all us ers for Licence Administration Workbench (LAW) and Business Partner

SOLTMW

SAP_S _CUS _CMP

S_CUS _CMP

D at a read acc ess

SAP_S_CMSREG

S_CMSREG


The most important task of the background user is to create and release transport requests and tasks remotely from Change Request Management. Requests that are created in this way are known to Change Request Management, which means that Change Request Management can control the distribution of these requests within the landscape.

SAP_S_BDLSM_READ

S_BDLSM_RE AD

R ead SDCCN data

SAP_S_TMW _CREATE

S_TMW _CREATE

for cr eatin g an d rel easing transport requests in development systems as well as for setting the project status switch for creating transport requests

SAP_S_TMW _IMPORT

S_TMW _IMPORT

for im imp or ting tr tr ansp ort re requ ests into test systems (empty)

SOLMAN<_Version>

SAP_S _CUS _CMP

S_CUS _CMP

D at a read acc ess

SAP_S_CMSREG

S_CMSREG


SAP_SV_ FDB_NOT IF_BC_ADMIN

SDCCN data

S ervic e Desk Mess ag es

SAP_S UPPDE SK_CREATE SAP_S_BDLSM_READ

Purpose

S er vic e Desk Mess ag e Cr eation S_BDLSM_RE AD

SDCCN data

1

These profiles are more or less static. You will also find the corresponding roles (SAP_), which you would have to assign manually to the created users. These can easily be maintained. In case of RFC problems after generation, see SAP Note 176277 176277:: Generating RFC trace information. Authorization Authorizatio n Object S_RFC to Call Function Groups For certain scenarios certain function groups are needed. In order to start RFC functions from certain function groups, users need to have the authorization object S_RFC in the trusting system (SAP Solution Manager system) as server system which is included in the according roles for the individual scenarios (see later chapters). For instance, the "SYST" function group is needed to call a system. In case it is missing, executing the remote login in SM59 causes the "RFC_NO_AUTHORITY" ABAP runtime error in the target system.

1

Requests that are created, released, or imported locally cannot be identified by Change Request Management in conjunction with a change request and are therefore not part of the Change Request Management transport control and distribution process. For this reason, we recommend that no users (apart from administrators) have authorization to create transport requests or tasks in Change Request Management-controlled clients.

April 2008

21

Security Guide: SAP Solution Manager 7.0 as of SP16 It is also needed in the Satellite systems. Authorization object S_RFC in the Satellite system is included in the automatically generated profiles. The following table gives you an overview of the appropriate field values for the field RFC_NAME needed for authorization object S_RFC in: S_CUS_CMP S_CSMREG D_SOLMAN_RFC S_RFC Profile

Function Group Values in Field RFC_NAME

S_CUS_CMP

S ee SAP Note attac hment: 831535

S_CS MREG


D_SOLMAN_RFC


Authorization Roles and Profiles in the SAP Solution Manager System Due to the system landscape of SAP Solution Manager System and Satellite Systems, it is necessary to assign users with corresponding roles in the SAP Solution Manager including Diagnostics as well as in the Satellite System (so-called Managed Systems in respect to Diagnostics). As most of the mentioned scenarios include actions in the SAP Solution Manager as well as information and data exchange from/to SAP Solution Manager and its Satellite systems, we differentiate for each scenario and process between roles for the SAP Solution Manager and corresponding roles (systems roles (systems with Basis >= Web Application Server 6.10) or profiles (systems with basis < Web Application Server 6.10) in the various Satellite systems. systems.

For details on all roles concerning Diagnostics, refer to Diagnostics Guides on the SAP Service Marketplace: service.sap.com/diagnostics  Installation and Upgrade Guides. The table below provides an overview of the roles and profiles for SAP Solution Manager system. For the Application Server Java, the default user store is the ABAP database, thus users have to be created within transaction SU01 only.

For the according scenarios, users have to be also assigned in the Satellite Systems with the corresponding roles. Solution Manager roles (for individual examples, see APPENDIX -> Examples Examples)) Sce nari o/Functionality

Role

Purpo se IMPLEMENTATION AND DISTRIBUTION

See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_RECOMMEND) for the scenario Implementation and

SAP_SO L_PM _CO MP 1)

Comp os ite r ole: Org anizing and p lanning a proj ect

Upgrade

SAP_SO L_AC_CO MP 1)

Comp os ite r ole: Cr eate Business c onten t and the documentation of operational activities

SAP_SO L_BC_CO MP 1) 1)

Comp os ite ro role: De Development of of cu customer-s pecific programs and authorizations

SAP_SO L_TC_CO MP 1)

Comp os ite r ole: Inst al li ng s ys t ems an d pro viding technical support

SAP_SO L_RO_CO MP 1) 1)

Comp os ite r ole: Re Read- only au auth orizations ffo or SA SAP Solution Manager

SAP_SO L_RE_CO MP 1)

Comp os ite role: R ead us er acc or di ng to st at us (document management)

SAP_ SAP_SO SOL_ L_LE LEAR ARN NING_ ING_M MAP_D AP_DIS IS

For For res resttricte icted d aut autho hori riza zati tion on for for use userr

22

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nari o/Functionality

Role

Purpo se SOLARSERVICE, which is used for accessing HTTP services in the Solution Manager without login, e.g. for displaying HTML Learning Maps (1); see Basic settings in IMG.

Test Workbench (Workflow) (Extended Traceability package) See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_TEST_WF_INFO) for the scenario Changing of Roadmaps

E-Learning Management

Solution Documentation Assistant 4)

SAP_DMDDE F_DIS

For r estric ted auth ori zation for us er SOLARSERVICE, which is used for accessing HTTP services in the Solution Manager without login, e.g. for displaying HTML Learning Maps (1)

SAP_ SAP_ST STWB_ WB_WO WORK RKF FLOW_C LOW_CR REATE EATE

Use Use Work Workfl flow ow

SAP_ SAP_ST STWB_ WB_WO WORK RKFL FLO OW_ADM W_ADMIN IN

Admi Admin n Work Workflo flow w, Autho Authori rity ty to creat create e Bus Busin ines ess s Partner

SAP_STW B_ B_W ORKFLOW _D _DIS

Display W or orkfl ow

SAP_R MD MDE F_ F_R MA MAUT H H_ _ EX EXE

F or or ad mi mi ni nis ttrr a att or or pur p po os e es s: ch ha an ge ge of r o oa ad ma maps (needs to be granted in addition to SAP_SOL_*_COMP)

SAP_R MD MDE F_ F_R MA MAUT H H_ _D IS IS

F or or disp la lay pur p po os e es s : d is is p pll ay ay of r o oa ad ma maps . (n ee eed s to be granted in addition to SAP_SOL_*_COMP)

SAP_SO L_ L_TRAIN IN ING_AL L

Sin gl gle role (i nc nclu de ded in SAP _S _SOL* Composite r ol ol es es), needed to use E-Learning Management tool.

SAP_SO L_ L_TRAIN IN ING_EDIT

Sin gl gle ro role (i (i nc nclu de ded in in SA SAP _S _SOL* Co Composite ro rol es es), needed to use E-Learning Management tool.

SAP_SDA_ AL L

Ful l auth or i zat ion: n eeds to be added to acc or ding composite Implementation role (SAP_SOL_*_COMP) and Work Center role

SAP_SDA_DIS

Display authori zati on: ne eds t o b e add ed t o according composite Implementation role (SAP_SOL_*_COMP) and Work Center role

GENERAL INFRASTRUCTURE see IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_SYST_INFORMAT) Basic Settings -> System Landscape Solution Directory

System Landscape Maintenance (SMSY)

Solution

SAP_SOL MA MAN_DIRECT OR OR Y_ Y_ AD ADMIN

Ad mi minister Da Data in in S ol olu tition Di Dir ec ector y

SAP_SOL MAN_DIRECT OR Y_ EDIT

Maintai n Da Data in in So Sol ution Di Dir ectory

SAP_SO L LM MAN _D _DIRECT OR OR Y_ Y_D IS ISP LA LA Y

Dis p pll ay ay D at at a in S ol olut io ion D irir e ec c tto or y

SAP_SMSY_A LL

Full author i zati on f or tr ans acti on SMS Y, maintenance of systems, servers, databases and logical c omponents omponents

SAP_SMSY_DISP

Display au thori zati on for tr ans action SMSY

SAP_SM_SOL UTION_AL L

Ful l author i zat ion f or s olu ti ons

SAP_S M_SOL UTION_DIS

Display auth ori zati on for s ol utions

SERVICE DESK Service Desk-Messages

April 2008

SAP_S UPPDE SK_ ADMIN

Aut hor izati ons need ed t o c onfigu r e the S er vic e Desk. In addition, it contains the authorizations for the roles SAP_SUPPDESK_PROCESS, SAP_SUPPDESK_DISPLAY, and SAP_SUPPDESK_CREATE,

SAP_S UP UPPDE SK SK_ PR PROCESS

Aut ho hor iz izati on ons ne need ed ed f or or m es es sa sag e (n ot otif ic ic a atti on on) processing, including the use of the solution database

SAP_S UP UPPDE SK SK_CREATE

Create sup po port mess ag ages fr om om the s at atell itit e s ys ystems or in the central SAP Solution Manager system. If a generic RFC user is used to create notifications in the SAP Solution Manager system (that is, the user is specified in the RFC destination in transaction SM59 in the satellite systems), the role will only need to be assigned to this generic RFC user.

SAP_SUPPDE SK_DISP LAY

Display us er

23


Role

Purpo se

Service Provider/Value Added Reseller

SAP_SUPPCF _ADMIN

Ad ministr ator auth ori zation f or cr eati ng and 834534.. processing, and IMG, see: SAP Note 834534

SAP_S UPPCF _CREATE

K ey us er (IT -Op er ator) auth ori zati on to cr eate messages, see: SAP Note 834534 834534..

SAP_S UPPCF _PROCE SS

Sup p ort Em Empl oyee au auth ori zati on to to pr proc ess messages, see: SAP Note 834534 834534..

CHANGE MANAGEMENT Change Request Management -> Schedule Manager; Service Desk, cProjects

SAP_CM_CHANGE_MANAGER_COMP 1)

Approving or rejecting change requests.

SAP_ SAP_CM CM_D _DEV EVEL ELOP OPER ER_C _COM OMP P 1) 1)

Corr Corre ectio ctions ns in the the d dev evel elop opme ment nt s sy ystem stem;; Corr Correc ecti tion ons s in the maintenance and development systems

SAP_CM_TESTER_COM P 1)

T es esti ng ng co corr ec ecti on ons in in the te test s sy ystem¸ T es esting an and validating corrections

SAP_ SAP_CM CM_O _OPE PER RATO ATOR_C R_COMP OMP 1) 1)

Impo mport corr corre ectio ctions ns into into the the pro produ duct ctio ion n syst system em;; Task Task lists

SAP_CM_PRODUCTIONMANAGER_C OMP 1) SAP_SOC M_REQUESTER SAP_CM_ SAP_CM_ADMI ADMINIS NISTRAT TRATOR_ OR_COMP COMP 1)

Maintenance Optimizer

SAP_MAINT_OPT_ADMIN

see IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_MAINT_OPTIMIZ) Basic Settings -> Basic BC-Sets for Configuration

SAP_MAINT_OPT_DISP SAP_MAINT_OPT_ADD

Import corrections into the production system; Approve imports into the production systems Create chang e requ ests Custom Customize ize and check check Change Request Request Management functions; Administrative and technical maintenance; The task list administrator in Change Request Management deals with the administrative and technical side of maintenance cycles and urgent corrections; in particular, the Schedule Manager task lists. Ful l auth or ization f or Main tenanc e O ptimizer Displ ay au th ori zation for Maintenanc e Opti mizer Authorization to write Stack-Delta-XML folder into the EPS Outbox of the operating system of Solution Manager (Stack-Delta-XML folder are relevant for JSPM (Java Support Package Manager) and SAP Jup (SAP Java Upgrade) in Java systems

SOLUTION MONITORING See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_MON_INFORMATI) for the scenario Service Data Control

SAP_S DCCN_AL L

S er vic e Data Contr ol C enter A d ministr ation, ch an ge setup

SAP_S DCCN_DIS

S ervic e D ata Cont rol Center D isplay onl y

SAP_S DCCN_EXE

Maintain Ser vic e D ata Contr ol Center

Center

Complete Monitoring (setup and/or operations of EWA; SLR, System Monitoring, Business Process and Interface Monitoring, Central System Administration)

Early Watch Alert

SAP_S V_ V_ SO SO L LU UTION_ MA MANAG E ER R SAP_SV_ SAP_SV_SOLU SOLUTIO TION_M N_MANA ANAGER_ GER_DIS DISP P

Ful l aut h or i zat ion f or all s essions i n ar ea op er ati ons setup

SAP_OP _DSW P

Ful l aut h or i zat ion f or all s essions i n ar ea op er ati ons

SAP_SETUP_DSWP_EWA

SAP_SETUP_DSWP_SLR

SAP_OP _DSW P_SLR

24

Display Display authoriza authorization tion for all functiona functionalit lities ies within within transaction SOLUTION_MANAGER,

SAP_S ETUP_DSW P

SAP_OP _DSW P_EW A Service Level Reporting

Ful l aut ho hor iz iz a att io ion f or or al l f un unc ttii on on al al itit ie ies wi wi th th in in transaction SOLUTION_MANAGER,

Full authorization for session Early Watch Alert in area operations setup (according to BundleID) Ful l author i zat ion f or s essi on E ar lyW atc h Al er t in area operations (according to BundleID) Full authorization for session Service Level Reporting in area operations setup (according to BundleID) Ful l aut hor izati on f or s ession S er vic e Level Reporting in area operations (according to BundleID)

April 2008


Role

System Monitoring

SAP_SETUP_DSW P_ P_SM

Ful l aut hor izati on f or s ession S ystem Mo Monitori ng in area operations setup (according to BundleID)

SAP_OP _DSW P_SM

Ful l aut hor izati on f or s ession S ystem Monitori ng in area operations setup (according to BundleID)

SAP_SETUP_DSW P_ P_BPM

Ful l auth or ization f or s ession Busi ness Pr oc ess Monitoring in area operations setup (according to BundleID)

Business Process Monitoring

Purpo se

SAP_OP _DSW P_BPM

Central System Administration

SAP_S ETUP_DSW P_CSA

Ful l auth or ization f or s ession Busi ness Pr oc ess Monitoring in area operations (according to BundleID) Ful l auth or i zat ion f or s essi on C entral Ser vic e Administration in area operations setup (according to BundleID)

SAP_OP _DSW P_CSA

Ful l auth or i zat ion f or s essi on C entral Ser vic e Administration in area operations (according to BundleID)

JOB SCHEDULING MANAGEMENT See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_JSCHED_INFORM) for the scenario Job Scheduling

SAP_SM_SCHEDU LE LER_ADMIN

Ful l auth or ori za zation i nc ncl ud ud in ing c om ommunic at ati on on to to external tool

SAP_S M_ M_SCHEDU LE LER _E _E XE XE

Ex xe ec u utti on on auth or or iz iz a atti on on i nc nc lu lu di di ng ng c o om m mu mun ic ic a att io ion to external tool

SAP_S M_SCHEDU LER_DIS

Display au thori zati on

REPORTING Solution Reporting

SAP_SO L_REP _ADMIN SAP_SO L_REP _DISP

BI EWA-Reporting 2)

SAP_SM_ALEREMOTE

SAP_BW _S _SOLUTION_MANAGER IT Pe Perf or orm an anc e R ep ep or orti ng ng 5) 5)

Vi a W or ork C Ce e nt nt er er Sy Sys tte em Mo Moni to tor in in g

Auth orizati on f or r eporti ng, maint ai ning s ystem availability data, BI Reporting Aut hor izati on f or r ep ort executi on an d dis pl ay on ly. Authorization for background user in Solution Manager Client, according to profile S_BI-WX_RFC (see SAP Note 150315) Auth orizati on f or tr ans acti on RR MX S ee ee W or ork C Ce ent er er r o oll e and au auth or ori za zati on on ma map pi pi ng ng f or or Work Center System Monitoring

SERVICE CONNECTION and SOLUTION TRANSFER Ser vic e Conn ec tion

SAP_S ERVICE_CONNECT

Sol ution Tr ansf er

SAP_SOLUTION_TRANSFER

Auth or izati ons f or S er vic e C onnecti on Aut hor izati on to transf er a s oluti on from on e SAP Solution Manager system to another SAP Solution Manager system.

DIAGNOSTICS Root Cause Analyses

SAP_ SAP_SOLM SOLMAN ANDIA DIAG_ G_SAP SAPSU SUPP PPOR ORT T

Conta Contains ins the requir required ed auth author oriza izatio tions ns for for using using the Diagnostics for user SAPSUPPORT, see also SAP Note 828533

SAP_SO LMANDIAG_E 2E

RFC C alls f or D i agn ostics ( acc ordi ng pr pr of il e S_SMDIAG_E2E)

SAP_SMDIAG_WIZARD SAP_SMDIAG_TEMPLATE

Authorization for using the Diagnostics Wizard to transfer data from Solution Manager to Diagnostics Authorization to edit templates for Diagnostics SMD and E2E Diagnostics for BI Reporting via Diagnostics according profile S_SMDIAG_BI 4), assigned to Diagnostics user SAPSUPPORT

SAP_BI_E2E

THIRD PARTY PRODUCTS SAP Quality Center by HP See IMG activity: Information and

April 2008

SAP_QC_B Y_HP _ADMIN

Ful l author i zat ion to c onfig ur e, s en en d an d rec ei eive data to/from Quality Center; needs to be assigned additionally with respective role for Implementation

25


Role

Purpo se

Configuration (technical Configuration (technical name:

and Distribution scenario, e.g.

SOLMAN_QC_INFORMATIO) for the scenario

SAP_SOL_PM_COMP SAP_QC_B Y_HP _E XE

Aut hor izati on to work on the QC tab in SOLAR 01/0 2, needs to be assigned additionally with respective role for Implementation and Distribution scenario, e.g. SAP_SOL_AC_COMP etc.

SAP_QC_B Y_HP _DISP

Display Au th ori zati on; n eeds to be assi gn ed additionally with respective role for Implementation and Distribution scenario, e.g. SAP_SOL_RO_COMP

SAP_QC_INTERFACE

Aut hor ization f or b ackgrou nd c ommun ic ati on us er

Ser vic e Desk In terf ac e

SAP_S UPPDE SK_INT ERFACE

Aut hor izati on fo for bid ir ection al interf ac e and configuration; needs to be assigned additionally with respective roles for Service Desk scenario, e.g. SAP_SUPPDESK_ADMIN

SAP CPS (Redwood)

SAP_SM_REDWOOD_COMMUNICATI ON

Redwood Users (Communication User) in RFC Destionation to Solution Manager

SAP_APPSIGHT_INTERFACE

Authorization for background communication user

See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_REDWOOD_INFOR) for the scenario BMC AppSight for SAP Client Diagnostics 4)

CONTINUES IMPROVEMENT Issue Management See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_ISSUE_INFORMA) for the scenario

SAP_I SS SSUE _M _MANAGE ME MENT _A _A LL LL 4) 4)

Ful l aut ho hor iz izat io ion fo for Is su su e M an an ag ag em em en en t

SAP_ SAP_IS ISSU SUE_M E_MAN ANAG AGEM EMEN ENT_ T_EX EXE E 4)

Ope Operati ration ons s Autho Authoriz riza ation tion fo forr Issu Issue e Manag Managem emen entt

SAP_ SAP_IS ISSU SUE_ E_MA MANA NAG GEMEN EMENT_ T_DI DIS S 4) 4)

Disp Displa lay y Aut Autho horrizat izatio ion n fo for Iss Issue ue Mana Manage geme ment nt

SERVICE DELIVERY Onsite Onsite and and Remote Remote Service Service Deliv Delivery ery

SAP_SOLM SAP_SOLMAN_O AN_ONSI NSITE_C TE_COMP OMP SAP_SOLMAN_ONSITE_ALL_COMP

SAP provides two main users for users for Onsite Service Delivery and Remote Service Delivery, see SAP Notes: 834534 and 872800

The following table shows which task list authorizations are assigned to the Schedule Manager roles that included in the Change Request Management composite roles: Developer

Tester

Prod. Manager

Operator

Administrator

Display

X

X

X

X

X

Create

X

---

---

---

X

Change

---

---

---

---

X

Delete

---

---

---

---

X

Run

X

X

X

X

X

Change status

X

X

X

X

X

1) Composite roles with naming convention _COMP convention _COMP consist consist of a number of single roles, which you may also use individually. 2) In the BI-Client (system) the following profiles are required: - Administrator (IMG): Profile S_RS_ALL (according role SAP_S_RS_ALL) - Backgrounduser ALEREMOTE: Profile S_BI-WHM_RFC (according role SAP_BI_ALEREMOTE) 26

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 3) To maintain actions, you need the additional role SAP_PPF_CONFIGURATOR 4) New as of SP16 For security information on passwords, see SAP Note 862989 862989.. New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0) 5) In the BI Client (system) the following roles are required: - for setup: SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP - to view the reports: SAP_BW_CCMS_REPORTING For more information: information: SAP Solution Manager Roles

SAP Note 834534 (SAP Solution Manager Roles)

Role Maintenance

online documentation: Choose Help  Application Help  Solution Manager  Projects  Project Preparation  Roles in Solution Manager

Change Request Management Roles

Online documentation (in SAP Solution Manager system): Help  Application Help  SAP Solution Manager  Change Request Management  Roles in Change Request Management

Authorization Roles and Profiles in the Satellite Systems You need to create users in the satellite systems to enable SAP Solution Manager users to access and configure these systems and perform test activities. Users are created in a satellite system using the User Maintenance tool (transaction code SU01) in that system. In each satellite system, you need to assign authorizations to users for IMG and the Customizing configuration transactions as well as the application transactions to be configured. For details on all roles concerning Diagnostics, refer to Diagnostics on the SAP Service Marketplace: service.sap.om/diagnostics  Installation and Upgrade Guides. For SAP R/3 Releases lower than SAP Web Application Server 6.10, the profiles listed in the table are available, but not the roles. Therefore, you have to explicitly assign the authorization profiles to the relevant users. The table below provides an overview of the roles and profiles for Satellite systems: Sce nario

Role (Rele ase >= 61 0)

Pr ofile (R elea se< 610)

Purpose

SAP_CHANGE MA MAN_D EV EVE LO LOPER

S_TMW _D _DEVELO

Aut ho hor iz izati on ons f or or devel op opers ; This profile contains CTS authorizations for developers: No authorization to create transport requests, and no authorization to release transport requests but to create and release tasks.

SAP_CHANGE MAN_O PERATOR

S_TMW _ _O OPERA

Aut hor izati ons f or op er ators ; This profile contains CTS authorizations for operators: All transport authorizations; no configuration authorizations

SAP_CHANGE MAN_ADMIN

S_TMW _ADMIN

Aut hor izati ons f or a ad dministr ators ; This profile contains CTS authorizations for administrators: All authorizations in the CTS (including configuration)

CHANGE MANAGEMENT Change Request Management

SERVICE DATA CONTROL CENTER Ser vic e Data C ontr ol

April 2008

For B asis W ebAs >=610

For B asis 4*

S er vic e Data Contr ol C enter

27

Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nario



Purpose

Center

SAP_S DCCN_AL L

S_SDCCN _A LL

Ad ministr ati on, chang e s etu p

For Basis WebAs >=610

For Basis 4*

SAP_SDCCN_EXE

S_SDCCN_EXE

Maintain Service Data Control Center

For Basis WebAs >=610

For Basis 4*

SAP_SDCCN_DIS

S_SDCCN_DIS

Service Data Control Center Display only

SOLUTION MONITORING System Monitoring and/or Central System Administration

SAP_BC_BASIS_ADMIN

C ont ai ns main tr ans acti ons f or Basis Administration

IMPLEMENTATION AND DISTRIBUTION Customizing Distribution and Comparison

SAP_BC_CUS _ADMIN

Ad ministr ati on of Customizing projects; in addition: Authorization object S_RFC is missing and needs to be maintained (transaction PFCG). values: ACTI: 16 RFC_NAME: S_SOLAR_RFC_00 RFC_TYPE: FUGR

SAP_B C_CUS_CUSTOMIZER

Ch ang in g customizing s etti ngs see SAP_BC_CUS_ADMIN S_CUS_CMP

S ee ee al als o Onli ne ne Do Docu me mentati on on: SAP Solution Manager -> Projects -> Customizing Distribution and Comparison system settings

Customizing Scout and System Landscape

SAP_SOLAR_SATEL ITE_SCOUT

Customizing Sc out

SAP_SOLAR_SATEL ITE_SMSY

S ystem L an dscap e

CATT

SAP_BC_CAT_TESTER

T esti ng wit h CATT

SAP_B C_CAT_TESTORGANIZE R eCatt Testworkbench

See SAP n ote 519858 SAP_TW B_TESTER

Testi ng with test workb ench

SAP_TW B_COORDINATOR

Coordi nati on wit h test workbench

SAP_TW B_ADMINISTRAT OR BC Sets

Tes tor gani zati on with CATT

Ad ministr ati on with tes t workbench

SAP_B CS_ACTIV

Acti vation BC S ets; s ee SAP note 505603

SAP_B CS_CREAT

Cr eating BC S ets

SAP_B CS_ADMIN

Ad ministr ation of BC S ets DIAGNOSTICS

Root Cause Analyses

SAP_JAV A_SUPPORT

Author ization f or Diagn ostics. Al l users of Diagnostics have to be assigned this role

SAP_JAV A_NW ADMIN_CENTRAL_READONLY

All us us ers of of D iagnos tics h ave to be assigned this role

SAP_SLD_GUEST

28

For read-only access to the SLD application, the user must belong to the group having the LcrUser J2EE server role (e.g. a group

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nario



Purpose named SAP_SLD_GUEST ).

SAP_XI_DISPLAY_USER SAP_XI_MONITOR SAP_SATELLITE_E2E_DISP

Only for XI systems Only for XI systems Display Diagnostics transactions ST-PI

Roles and Profiles are customizing entries. If profiles are delivered with new or changed authorizations they have to be transported to your productive client. Import Authorization Checks Change Request Management uses the import functions of the Transport Management System (TMS). The TMS remote infrastructure is based on RFC connections that point solely to the 000 client of a target system. For this reason, you must make sure that Operators and Administrators have users both in the client into which changes are imported, and in the 000 client of these systems.



Automatic Imports In test systems, it is sometimes necessary that imports are performed automatically. If you want developers within the Change Request Management scenario to start imports into a test system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Since S_TMW_IMPORT is delivered empty, you have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL, which are also contained in the authorization object S_CTS_ADMI.



It is now possible possible to t o start an import into this system from every satellite system within your domain by using the CPIC user TMSADM; therefore, do not use this method in production systems or in any other security-critical systems. The system where you want to start the import automatically must share the same transport directory as its preceding system. If the transport directories were different, the user who starts the import would need “addtobuffer” authorizations for the buffer adjustment, which would present a security risk not only for the system concerned, but also for the whole landscape (including the production system). Regarding Change Request Management, the following table shows which transport methods are assigned to the background users in the target client and in client 000. In addition, the table indicates which roles are required for real users when using trusted RFC destinations:

April 2008

29


(*) If you want developers within the Change Request Management scenario to start imports into a test system automatically, automatically, you must add the profile S_TMW_IMPORT S_TMW_IMPORT to the user TMSADM in client 000 of the test system. You have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL which are contained in S_CTS_ADMI. Do not use this method in production systems or in any other security-critical systems. The system where you want to start the import automatically must share the same transport directory as its preceding system. For more information: Role Maintenance

Online documentation (in the SAP Solution Manager system): Choose Help  Application Help  Solution Manager  Projects  Project Preparation  Roles in Solution Manager

Change Request Management Roles

Online documentation (in SAP Solution Manager system): Help  Application Help  SAP Solution Manager  Change Request Management  Roles in Change Request Management

Authorizations Authorizations for f or Customizing

Online documentation for IMG (transaction SPRO) -> chapter Create Solution Manager Configuration User.

Authorizations Authorizations ffor or Customizing Customizing Distribution Distribution

Online documentation (in the SAP Solution Manager) (transaction SCDT_SETUP) -> Help  Application Help  Customizing Distribution  Customizing Customizing Distribution System Settings

Work Center Roles in the Solution Manager System As of Solution Manager 7.0 SP15 a number of Work Center roles are delivered. Work Center Roles (naming convention: SAP_SMWORK_) are based on the authorization roles approach (transaction PFCG). Still, in contrast to authorization roles which contain a number of authorization objects, Work Center roles do not contain any active authorization objects, but only menu entries. The menu entries consist of a two folder hierachy. They display the menu hierarchy/entries in the NetWeaver Business Client (NWBC). The first level always consists of the homepage WebDynpro Application of the according Work Center (e.g. Incident Management). The second level consists of several related links, such as Service Marketplace etc.. Work Center roles are always single roles. They need to be assigned to the user in ADDITION to the authorization roles for the individual scenarios (e.g. SAP_SUPPDESK_* and SAP_SUPPCF_*) and single role SAP_SMWORK_BASIC. Work Center roles do not contain authorizations, 30

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 therefore it is not necessary to generate an authorization profile. If a user is to be assigned more than one Work Center, the single roles can be combined to composite roles according to your needs. In this case, the merge of menu entries is not necessary and should not be done. Each end user who works with Work Centers needs to be assigned role SAP_SMWORK_BASIC. This role provides all the necessary authorizations for the Work Centers themselves, such as authorization for POWL (table control) and navigation. It needs to be fully maintained, including profile generation and user comparison. The following table provides an overview and mapping of the Work Center roles and standard Solution Manager roles. INCIDENT MANAGEMENT Work Center Role: SAP_SMWORK_INCIDENT_MAN Vie w

Link

Overview

M apping of Aut horiz ation Ro les SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)

Messages Search Reports Common Tasks

SAP_S M_SOLUTION_* (in c as e of s olution -dependen d rep ortin g), S AP_SO L_REP_* N ew ew mes sa sag e

SAP_ SU SUPPDE SK SK_* ; (SA P_ P_SU PP PPCF _* _* i n c a as s e of S er er vi vic e Pr o ov vi de der )

Sea Search rch for for SAP SAP Not Note

URL URL - n no o au authori horiza zattion ion che check

Transa Transact ction ion Monit Monitor orii

SAP_S SAP_SUP UPPD PDESK ESK_*; _*; (SAP_ (SAP_SUP SUPPC PCF_* F_* in case case of of Serv Service ice Provi Provide der) r) CHANGE MANAGEMENT Work Center Role: SAP_SMWORK_CHANGE_MAN

Vie w

Link

M apping of Aut horiz ation Ro les

O verview

SAP_ MAINT_OPT_* / SAP_ SM_SOLUTION_* / SAP _CM_* _COMP

Change Request

SAP_CM_*_COMP

Hot News

SAP_SM_SOLUT ION_*

Maintenance Optimizer

SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*

Test Management

SAP_SOL_*_COMP (acc. to function, e.g. Tester or Testorganizer)

Reports

SAP_SOL_REP _*/ SA P_SM_SOLUTION_*

Common tasks

N ew ew Ch an ang e R eq eq ue uest

SAP_C M_ M_* _C _CO M MP P

New Maintenance Transaction

SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* IMPLEMENTATION AND UPGRADE Work Center Role: SAP_SMWORK_IMPL

Vie w

Link


O verview

Pr oj ec t

Impl ement ation an d Upgr ad e (acc ord ing to Business r ole, e. g. Pr oj ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)

Evaluate

Access Business Map

URL - Service Marketplace: no authorization check

Download Solution Composer Access SAP Best Practices Access Business Process Repository

April 2008

WebDynpro BPR - no authorization check

31

Security Guide: SAP Solution Manager 7.0 as of SP16 Acce Access ss proj proje ects cts

Impl Implem emen enta tati tion on and and Upgr Upgrad ade e (acco (accord rdin ing g to Busi Busine ness ss role role, e.g e.g.. Proj Proje ect Mana Manage gerr or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)

Plan

Access Solution Directory

SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*

Pr oj oj ec ec ts ts

Impl em ement at ation an d Upgr ad ad e (acc or ord in ing to Business r ol ole, e. g. g. Pr oj oj ec ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)

R oa oadmap

Impl em ement at ation an an d Upgr ad ad e (acc or ord in ing to Business r ol ole, e. e. g. g. Pr Pr oj oj ec ec t Manager o orr Technical Consultant etc.) SAP_SOL_*_COMP (Roadmap) Changing of Roadmaps SAP_RMDEF_RMAUTH_*

Busin Business ess Bluep Blueprin rintt

Imple Implemen menta tatio tion n and and Upgra Upgrade de (acco (accordi rding ng to Busin Business ess role, role, e.g. e.g. Proje Project ct Manag Manager er or Technical Consultant etc.) SAP_SOL_*_COMP (Business Blueprint)

Build

Con Configu figura rattion ion

Imple mpleme ment nta ation tion and Upgr Upgra ade (acc (accor ordi ding ng to Busi Busine ness ss role role,, e.g e.g.. Proje roject ct Mana Manage gerr or Technical Consultant etc.) SAP_SOL_*_COMP (Business Blueprint)

E-L ea ear n nii ng ng

Im pl pl em em en en ta tat io ion an d Upgr a ad de (a ac cc o orrd in in g t o B us us in in es es s r o oll e, e, e. e. g. g. Pr o ojj ec ec t Man ag ag er er or Technical Consultant etc.) SAP_SOL_*_COMP (E-Learning)

Customizing Distribution

Implementation and Upgrade (accordin g to Business role, e.g. Project Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Customizing Distribution)

BC-S ets Test

N o auth or ization ch ec k - E-L earning Management SAP_SOL_TRAINING_* - General Infrastructure: Cutover to Test (transaction SOLMAN_DIRECTORY "Solution Directory") SAP_SOLMAN_DIRECTORY_*

Going Live Preparation

Go to Solution Directory

SAP_SOLMAN_DIRECTORY_*

Goin g Li ve Ch Ch ec k

URL-n o au auth ori zation ch eck

SAP SAP Early EarlyWat Watch ch Aler Alertt

SAP_ SAP_SM SM_S _SOL OLUT UTIO ION_ N_** / SAP_O SAP_OP_ P_DS DSWP_ WP_E EWA

Reports

Impl ement ation an d Upgr ad e (acc ord ing to Business r ole, e. g. Pr oj ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP

C om om mo mon T as as ks ks

R oa oadmap

Im pl pl em em en en ta tat io ion an d Upgr a ad de (a ac cc o orrd in in g t o B us us in in es es s r o oll e, e, e. g. g. Pr o ojj ec ec t Man ag ag er er or Technical Consultant etc.) SAP_SOL_*_COMP (Roadmap) Changing (Define and Maintain) of Roadmaps SAP_RMDEF_RMAUTH_*

Related Links

S ystem Landscap e

SAP_SMSY_*

Project Project Administ Administratio ration n

Impleme Imp lementat ntation ion and and Upgrade Upgrade (accordi (according ng to Business Business role, role, e.g. e.g. Project Project Manager Manager or or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)

Lea Learni rning Map Maps s

Imple mpleme ment nta ation tion and Upgr Upgra ade (acc (accor ordi ding ng to Busi Busine ness ss role role,, e.g e.g.. Pro Proje ject ct Mana Manage gerr or or Technical Consultant etc.) SAP_SOL_*_COMP (E-Learning) JOB MANAGEMENT Work Center Role: SAP_SMWORK_ JOB_MAN

Vie w O verview

32

Link

M apping of Aut horiz ation Ro les SAP_SM_SCHEDU LER_ADMIN _*

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Job Monitor ing

SAP_OP _DSW P_BPM / SAP _SM_SO LUTION_*

Job Documentation

SAP_SM_SCHEDULER_ADMIN_*

Job Scheduling Reporting Common Tasks R el el at at ed ed Li Li nk nks

SAP C en entr a all Pr Pr o oc ce es ss Scheduling by Redwood

URL - no authorization check SERVICE DELIVERY

Work Center Role: SAP_SMWORK_ SERVICE_DEV Vie w

Link


O verview

SAP_SV_SO LUTION_ MANAG ER, S AP_SM_SO LUTION_*,. SAP_ISSUE_MANAGEMENT_*

SAP Delivered Services

SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.

Self Delivered Services Issue and Top Issues

SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*

Tasks Reports Common Tasks

SAP_SOL_REP _* / SAP_SM_SOLUTION_* Create Issue

SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*

Create Top Issue

R el el at at ed ed Li nk nks

Display Business Process

SAP_OP_DSWP_BPM (correct maintenance needed for display) /SAP_SM_SOLUTION_DIS

Data Transfer Configuration

No authorization check

S ol ol ut uti on on M an an ag ag er er Operations

SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operations and Setup) SETUP Work Center Role: SAP_SMWORK_ SETUP

Vie w

Link


O verview

S elfdiagn os is

SAP_SM_SOLUT ION_*

Solution

S ol uti ons (c (c reate)

SAP_SM_SOLUT ION_*

S er er vi vic e Conn ec ec titi on on

SAP_S ER ERVICE_CONNE CT CT

S ol ution Transf er er

SAP_SO LUTION_TRANSFER

Operations Setup (EWA)

SAP_SETUP_DSW P_EWA/ SAP_SM_SOLUTION_*

E xp ort and Im port

SAP_SOLAR_ MIGRATION

General project related tasks

SAP_SOL_*_COMP

S ystems s et up

SAP_SMSY_*

Syste Systems ms Mainte Maintenan nance ce

SAP_S SAP_SOLM OLMAN AN_D _DIR IREC ECTOR TORY_ Y_** / SAP_SM SAP_SM_SO _SOLU LUTI TION ON_* _*

RFCRFC-De Desti stinat nation ions s

Templa Template te role role for author authoriza izatio tions ns for SM59 SM59 is is not not del delive ivered red with with ST, role role m must ust be create created d individually.

Project

Systems

Users

Speci pecifi fic c Setup Setup

April 2008

Temp late roles for author izati ons f or SU 01, PFCG, SU 10 or S UIM ar e not d elivered with ST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization) Syst System em Adm Admin inis isttrat ration ion

SAP_ SAP_SM SM_S _SOL OLU UTIO TION_* / SAP_ SAP_SE SETU TUP_ P_DS DSWP_ WP_C CSA

33


Common Tasks

Related Links

Service Level Reporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSW P_SLR

Syst System em Moni Monito torring ing

SAP_ SAP_SM SM_S _SOL OLU UTIO TION_* / SAP_ SAP_SE SETU TUP_ P_DS DSWP_ WP_SM SM

E ar arl yW yW at atch Al er ert

SAP_ SM SM _S _SOL UT UT IIO ON_ * / SAP _S _SETUP_ DS DSW P P_ _EW A

Connectiv Connectivity ity Moni Monitorin toring g

Transac Transaction tion:: SOLUTI SOLUTION_M ON_MANA ANAGER GER (no autho authoriza rization tion check) check)

IT-Performance Reporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM

Landscap e Maintenanc e

SAP_SMSY_*

RFC RFC Connec Connectio tion n Error Error

Transa Transact ction ion:: SOLUTI SOLUTION_ ON_MAN MANAG AGER ER (no autho authoriz rizati ation on check check))

Implementation Implementation Guide (SPRO)

Profile SAP_ALL

Implementation Implementation Guide (SPRO)

Profile SAP_ALL

Solution-ManagerMigration

SAP_SOLAR_MIGRATION

General Task related to system configuration of Solution Manager (IMG)

Profile SAP_ALL

SYSTEM ADMINISTRATION Work Center Role: SAP_SMWORK_ SYS_ADMIN Vie w

Link


O verview

S ystem (G en eral Infrastructure)

SAP_SMSY_*

User Management

Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered with ST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization)

Administration Tools

Template roles for nonspecific Solution Manager transactions (functionalities) can be found in the according documentation for these functionalities

Setup

Related Links

CSA

SAP_SETUP_DSW P_CSA / SAP_SM_SOLUTION_*

Solutions (General Infrastructure)

SAP_SM_SOLUTION_*

DBA C oc kpit

SAP_BC_DB _ADMIN

Landscape Printing Assistant

Template role for authorizations for transaction PAL is not delivered with ST, role must be created individually.

Solution Manager Diagnostics

URL - no authorization check

Issu Issue e Mana Manaag agem emen entt

SAP_ SAP_IS ISSU SUE_M E_MAN ANAG AGEM EMEN ENT_ T_** / SAP_ SAP_SM SM_S _SOL OLUT UTIO ION_ N_** SYSTEM MONITORING Work Center Role: SAP_SMWORK_ SYS_MON

Vie w

Link


O verview

S ystems/ s olutions

SAP_SMSY_* / SA P_SM_SOLUTION _*

Al er t I nbox

S ystem al erts

SAP_OP _DSW P_SM / S AP_SM_SOLUTION_*

Proactive Monitoring

Sy ys s tte em / s o oll ut ut io ions

SAP_ SM SMS Y_ Y_* / S AP AP_ SM SM_ SO SO L LU UT IIO ON_ * Template roles for nonspecific Solution Manager transactions (functionalities) can be found in the according documentation for these functionalities

34

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Connectivity Monitoring

RFC RFC Dest Destin inat atio ions ns

SAP_ SAP_SM SMSY SY_* _* / Tem Templa plate te rol role e fo forr autho authori riza zati tion ons s for for SM59 SM59 is is not not deli delive vere red d wit with h ST, ST, role role must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization)

Job Monitor ing

Job Sc hed ul ing

SAP_SM_SCHEDU LER_*

Reporting

Tab systems: EWA Reporting

SAP_OP_DSW P_EWA / SAP_ SM_SOLUTION_*

Tab systems: ITPerformance Performance Reporting

SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*

Tab solutions: Service Level Reporting

SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*

Tab solutions:Availability Reporting

SAP_SOL_REP_* / SAP_SM_SOLUTION_*

Syst System em Moni Monito torring ing

SAP_ SAP_SE SETU TUP_ P_D DSWP_* SWP_* / SAP_ SAP_SM SM_S _SOL OLU UTION TION_* _*

Service Level Reporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSW P_SLR

E ar arl yW yW at atch Al er ert

SAP_ SM SM _S _SOL UT UT IIO ON_ * / SAP _S _SETUP_ DS DSW P P_ _EW A

Connectiv Connectivity ity Moni Monitorin toring g

Transac Transaction tion:: SOLUTI SOLUTION_M ON_MANA ANAGER GER (no autho authoriza rization tion check) check)

IT-Performance Reporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM

S ol uti ons

SAP_SM_SOLUT ION_*

S elf Diag nosis

SAP_SM_SOLUT ION_*

Solution Manager Diagnostics

URL - no authorization check

W ily I ntrosc ope

URL - n no o au auth or izati on ch ec k

Setup

Related Links

SYSTEM LANDSCAPE MANAGEMENT Work Center Role: SAP_SMWORK_ LANDSCAPE MANAGEMENT Vie w

Link


Overview

S ys ystem / s ol oluti on on

SAP_SMSY_* / SA P_ P_SM_SOLUTION _* _*

Common T as ks

Cr eate s oluti on

SAP_SM_SOLUT ION_*

Related Links

System Landscape Solution Manager

SAP_SMSY_*

S er er vi vic e Conn ec ec titi on on

SAP_S ER ERVICE_CONNE CT CT

Downtime Management Transport Management System Installation Setup

BUSINESS PROCESS AND INTERFACE MONITORING Work Center Role: SAP_SMWORK_ BPM Vie w

Link


O verview

Op erati on Bu Busi ness Process Monitoring

SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*

Business Process

Operation Business Process Monitoring/ Service Desk Message

SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*

Al er t D etail

April 2008

SAP_SUPPDESK_* / SAP_SUPPCF_* (in case of Service Provider) SAP_OP _DSW P_BPM, S AP_SM_SO LUTION_*

35

Security Guide: SAP Solution Manager 7.0 as of SP16 Alert Inbox Reports Common Tasks

R el el at at ed ed Li nk nks

Solu Soluti tion on Dire irecto ctory

SAP_ SAP_SO SOLM LMAN AN_D _DIIREC RECTORY TORY_* _*,, SAP_ SAP_SM SM_S _SOL OLUT UTIION_* ON_*

Setup Business Process Monitoring

SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_*

S ol ol ut uti on on M an an ag ag er er Operation - transaction SOLUTION_MANAGER

SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operations and Setup) ROOT CAUSE ANALYSIS Work Center Role: SAP_SMWORK_ DIAG

Vie w

Link


O verview

C onf ig urati on

No authorization check

SAP Diagnostics

URL- no authorization check

Configuration Related Links

SAP Diagnostics Setup Solution Documentation Assistant Work Center Role: SAP_SMWORK_ SDA Vie w

Link


O verview

all

SAP_SDA_* ; SAP_SOL_* _COMP

Analysis Projects

all


Analys es

all


Related Links

all


Related Links

all


For detailed information on menu entries, see SAP Note

834534

EXAMPLE: System Administrator The role described underneath is delivered with Stack 15 as an example role. If you use this role, please copy it, maintain all authorization roles and execute the user comparison. You want your System Administrator to use the Work Centers of Solution Manager. Your System Administrator should maintain your System Landscape and should take care for the smooth running of all its systems. Therefore, he/she uses the following Work Centers: 

System Landscape Management (Work Center role: SAP_SMWORK_LANDSCAPE_MAN)



System Monitoring (Work Center role: SAP_SMWORK_SYS_MON)

System Administration (Work Center role: SAP_SMWORK_SYS_ADMIN) According to the Mapping Table above, the Work Center roles for these three Work Centers need to be granted. In addition, the appropriate Authorizations roles with full authorization are needed: 

36



Authorizations for Work W ork Centers: Centers: SAP_SMWORK_BASIC SAP_SMWORK_BASIC



System Landscape Maintenance: SAP_SMSY_ALL



Solutions: SAP_SM_SOLUTION_ALL



Setup System Monitoring: SAP_SETUP_DSWP_SM



Setup System Administration: SAP_SETUP_DSWP_CSA



Operations System Monitoring: SAP_OP_DSWP_SM



Operations System Administration: SAP_OP_DSWP_CSA



Service Connection: SAP_SERVICE_CONNECT

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Roles for transactions that are not delivered with Solution Manager (ST) are not included, as well as roles for Issue Management, Job Scheduling and Availability Reporting. All roles were then included in a composite role for the System Administrator SAP_SMWORK_ADMINISTRATOR_COMP and user comparison was executed.

SLD (System Landscape Directory) Security Roles If you have attached the System Landscape Directory, you need to generate roles for set SLD users for the communication of ABAP and Java: SLD User

Role

Purpose

SLDAPIUSER

N o r ole r equ ired

To s end data fr om SAP S oluti on Manag er t o SLD

SAPJSF (S ervic e Us er)

SAP_B C_JSF_CO MMUN ICATION_RO

To read data fr om SLD

SAP_ SAP_BC BC_A _AI_ I_LA LAND NDSC SCAP APE_ E_DB DB_R _RFC FC

Cont Contex ext: t: Appl Applic icat atio ion n inte integr grat atio ion n infrastructure

J2EE_ADMIN (Service User)

This role enables write access to the database tables of the SAP System Landscape Directory (SLD). The role has to be assigned to the user who makes the RFC calls from the SLD.

SAP_J2EE_ADMIN

J2EE_GUE ST (S er vic e Us er)

April 2008

SAP_J2 EE_GUEST

Role that is assigned to the users that are to have administrator rights in a connected SAP J2EE Engine. Engine. Used to attach a local UME to the central ABAP user management. Role that is assigned to the users that are to have guest authorizations in a connected SAP J2EE Engine. Engine.

37


SLM (Software Lifecycle Manager) Security Roles The security roles in the SLM are analogical to the security roles in the SLD. For detailled information see: help.sap.com/nw70 -> Functional View -> Solution Life Cycle Management -> Software Life Cycle Management. S-User Authorization The S-user is used for accessing SAP internal systems via special RFC destinations like SAP-OSS und SAP-OSS-LIST-O01 (see chapter Communication Destinations). Destinations). Background jobs (see chapter Background Jobs)) control the access via RFC destinations and the data communication. S-users (that have the correct Jobs authorizations) are needed to open the gate and trigger dedicated functions at SAP side. For several use cases it is necessary to assign a SAP Support Portal contact to SAP Solution Manager system users who will communicate with SAP Support Portal via RFC-Destination SAP-OSS. The contact you maintain corresponds to the S-user in SAP Support Portal without 'S'. See: IMG (transaction SPRO) activity: Assign S-User for SAP Support Portal functionaliy (SOLMAN_PROFILE_PARAM). functionaliy (SOLMAN_PROFILE_PARAM). For the customer specific RFC-Connection (scenario: Service Provider) no authorization for the assigned S-User is necessary. In the SAP Support Portal , your S-user needs to have the following authorizations for the individual functionalities: Service Desk and Expert-on-Demand Create message

ANLEG: Create SAP message

Create and send messages

GOSAP: Send to SAP

Confirm messages

QUITT: Confirm SAP message

Display/change Secure Area

PWDISP Display Secure Area PWCHGE Change Secure Area

Value Added Reseller: Download Data from SAP Administration Authorization

ADMIN

Maintain all Logon Data

Value GLOBAL

Maintain User Data

USER

Maintain System Data

INSTPROD Value Added Reseller: Customer

Maintain System Data

INSTPROD

Service Desk and Expert-on-Demand Create message

ANLEG: Create SAP message

Send messages

GOSAP: Send to SAP WAUFN: Reopen SAP message

Confirm messages

QUITT: Confirm SAP message

Display/change Secure Area

PWDISP Display Secure Area PWCHGE Change Secure Area Service Connection

Open Service Connections

SVER Open Service Connection

Setup/migrate a Service Connection

SVER Open Service Connection INSTPROD Maintain System Data

38

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 SAP HotNews SAP notes search

NOTES: Search f or notes

Backgroundjobs As soon as a Solution is created within the Solution Manager system the backgroundjob SM:SCHEDULER with program RDSWPJOBSCHEDULER is automatically started. This program executes all programs which are marked as active in table DSWPJOB. You should not alter configurations in this table. See as well SAP Note 894279 894279.. The following table provides an overview over all backgroundjobs, whether they are included in DSWPJOB and which RFC connection is used: Bac kgroundjob/ pr ogra m, report

Us e

RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations SERVICE DELIVERY

SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS

Transfer CSN Components to Solution Manager (DSWPJOB)

SAPOSS

SM:SYNC SOLMAN INFO/ RDSMOPSERVICEINFOS

Self-Service: Components used by customers (DSWPJOB)

SAPOSS

SM:TOP ISSUE TRANSFER/ RDSWPCI_TOPISSUE_TRANSFER

This transfers the top issues that you have exchanged with SAP once a week. (DSWPJOB)

SAP-OSS

SM:SURVEY TRANSFER/ RDSWPCI_SURVEY_TRANSFER

This transfers the questionnaires for customer satisfaction with the service session and issue processing to SAP. (DSWPJOB)

SAP-OSS

SM:SEND_SOLUTIONS_TO_SAP/ RDSMOPCOLLECTSOLUTIONDATA

This report sends the data of the respectively configured solutions to SAP (DSWPJOB)

SAP-OSS

SM_SYNC_SAP SESSIONS/ RDSWPCISERVICEPLAN; RDSMOPSERVICESESSIONS RDSWPBACKGROUNDSERVICES_4; RDSWPBACKGROUNDSERVICES_3;

Get Serviceplan from SAP (DSWPJOB -> RDSMOPSERVICESESSIONS; RDSWPBACKGROUNDSERVICES_4 and RDSWPBACKGROUNDSERVICES_3 nonactive) The session scheduling in the s ervice plan is updated daily by SAP. This report is necessary to receive service plans from SAP

SAP-OSS

SM:FILL ISSUE BUFFER TABLE/ DSWP_CI_ISSUE_BUFFER_TABLE

Fill Issue Buffer Table (DSWPJOB)

SM:MIGRATE_ISSUE_PROJECT_CONTEXT/ RDSWPCI_ISSUE_PROJECT_CONTEXT1

(DSWPJOB)

SM:SYNC ISSUES FROM CRM/ RDSWP_ISSUE_REFRESH

Table DSWPISSUE contains information from the CRM document and the support message (Context). This table is updated. (DSWPJOB)

SOLMAN_ISSUE_STATUS_REFRESH/ RBM_REFOBJ_BUFFER_UPDATE

The SAP Solution Manager buffers message attributes such as the current user and the processing status. This periodic job collects these message attributes from the message system and makes them available for analysis. SERVICE DESK This refreshes the contents of Support Desk or Expert-on-Demand messages that have been processed by SAP. Recommendation: Deactivate this job and schedule a customerspecific variant (DSWPJOB).

SAP-OSS-LIST-O01

SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS

Transfer CSN Components to Solution Manager (DSWPJOB)

SAPOSS

AI_SDK_FILL_FILE_TYPE_TABLE /

Only specified file types can be sent to SAP, for

AI_SDK_FILL_FILE_TYPE_TABLE

security reasons, all other attachments sent to

SM:RNOTIFUPDATE01/ RNOTIFUPDATE01

SAP-OSS

SAP are refused by SAP. For SAP being able to read all the attachments which you send with

April 2008

39

Security Guide: SAP Solution Manager 7.0 as of SP16 Bac kgroundjob/ pr ogra m, report

Us e

RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations

your message, the program updates the file type tables AISDK_FILETX and AISDK_FILETY. SOLUTION MONITORING /BDL/TASK _PROCE SSOR

St arts al l nec ess ar y tasks ( Main tenanc e T as k) in satellite systems for Service sessions (e.g. EWA) (automatically scheduled when SDCCN is activated in Satellite system

SM:EXEC SERVICES/ RDSMOPBACK_AUTOSESSIONS

Executes Service sessions in Solution Manager Carries out services daily (or weekly) and schedule new services (DSWPJOB)

SM:CSA SESSION REFRESH/ DSVAS_APPL_CSA_REORG_TASKTABLE;

CSA Session Refresh (DSWPJOB) The Central System Administration (CSA) session is opened in the background and processed every hour. This updates the task status icons in the SAP Solution Manager graphic.

RDSMOPSOL_MONIREFRESH

SM:CSA UPDATE TASKSTATUS/ DSVAS_APPL_CSA_UPD_TASKSTATUS

CSA Task Status Update (DSWPJOB) updates status symbols of CSA tasks in the graphical overview of systems

SM:CSDCC HANDLE TASKS/ RCSDCCHANDLETASKS

(DSWPJOB)

SM:SESSIONS RESET/ RDSMOP_SESSSION_RESET

Session initialization. The set-up sessions are automatically reset after a new ST-SER release is implemented or after a new Support Package is imported. This ensures that these sessions always run on the newest check source code (DSWPJOB)

SM:MIGRATE EWACUSTOMIZING/ RDSWPMIGRATEEWACUSTOMIZING

Migrate EWA Customizing (DSWPJOB)

SM:SET DEFAULT RATING/ RDSWPSETDEFAULTRATINGHIERARCHY

Set default rating (DSWPJOB -> Non-active)

SM:SOLMAN MONITORING/ RDSWP_FILL_CCMS_ALERTS

Supplies the monitoring object of the CCMS for every solution with data from the Solution Manager, for example EWA, SL Reporting and Transaction SDCCN. (DSWPJOB)

SM:DOWNLOAD DELETION/ RDSWPDOWNLOADDELETION

The download data which is more than 30 days old, is deleted (DSWPJOB)

Program name: RDSWP_DTM_UPDATE_DT_STATUS

To update downtime status. To be run daily, at 00:00 to 00:10 hrs; Period : 1.

TRUSTED or LOGIN

TRUSTED or READ

CHANGE REQUEST MANAGEMENT SM:TMWFLOW_CMSSYSCLO/ /TMWFLOW/CMSSYSCOL2

gets tracking data from systems, asynchronously (DSWPJOB)

READ; TMWFLOW

ROOT CAUSE ANALYSIS SM:SOLMAN_DIAG_UPDATE/ RSOLDIAG_CHECK_FOR_UPDATE

Checks your Solution Manager and notifies it about the changes made to relevant data and parameters. (DSWPJOB) IMPLEMENTATION (DOCUMENT MAMANGEMENT)

Jobname (customer-specific)/ RSTIRIDX

Asynchronous indexing and de-inde xing for Document Management (manually, see also IMG -> Scenario-specific settings -> Crossscenario -> Document Management -> Servers > Connect Index Server for Full Text Search)

SM:ACCELERATE DOC USAGE/ RDMD_ACCELERATE_DOC_USAGE

Accelerates the where-used list for documents in the Solution. (DSWPJOB) THIRD PARTY PRODUCTS

Jobname (customer-specific) (customer-specific) / RS_SM_QC_REQUIREMENT_SYNC and

40

SAP Quality Center by HP send Test Requirements and receive Test Results (manually, see IMG -> Scenario-specific Settings

April 2008


Us e

RS_SM_QC_TESTRESULT_SYNC

-> Third Party Integration -> SAP Quality Center by HP


GENERAL INFRASTRUCTURE REFRESH_ADMIN_DATA_FROM_SUPPORT/ AI_SC_REFRESH_READ_ONLY_DATA

Periodically reads administrative data from SAP Support Portal (System data synchronization in SMSY)

SAP-OSS

SEND_SYSTEM_RELATIONSHIP_TO_SUPP/ AI_SC_SEND_SYSTEM_RELATIONSHIP

Periodically sends information which systems are managed by Solution Manager

SAP-OSS

SERVICE_CONNECTION_LISTENER/ AI_SC_LISTENER

Periodically checks in Solution Manager, whether a service connection is planned to be opened

SAP-OSS

LANDS CA CA PE PE FE FET C CH H/ RS RSGET _S _SM SY SY

T he he jo job ge gets sy syst em em da dat a for th th e S ol olut io ion Manager system landscape by automatic data transfer from TMS/RFC or the System Landscape Directory (SLD); Default: TMS/RFC

SM:SYNC CONTENT FROM SAP/ RDSWPBACKGROUNDSERVICES_1

(DSWPJOB -> non-active)

SM:MIGRATE_LANG_DEP_SAPSCRIPT/ MIGRATE_LANG_DEP_SAPSCRIPT; RMIGRATE_LANG_DEP_SAPSCRIPT

(DSWPJOB -> MIGRATE_LANG_DEP_SAPSCRIPT nonactive)

SM:CLEAR ARCHIVED DATA/ RDARCH_CLEAN_DATABASE


SM:DYNAMIC TABU UPDATE/ RDMD_DYNAMIC_TABU_UPDATE

Updates Updates the table contents that are necessary to operate the Solution Manager. (DSWPJOB)

SM:DMD CONSISTENCY/ RDMD_INCONSISTENCIES

Checks the data model of a solution for inconsistencies (DSWPJOB)

RDMD_INCONSISTENCIES/ RDMD_MIGRATE_OBJS_2_LANG_INDEP

(DSWPJOB)

SM:REMOVE INCONSISTENCIES/ RDMD_REMOVE_INCON

Remove inconsistencies in the data model (DSWPJOP)

SM:REORG APPLICATION LOG/ RDMD_REORG_APPLICATION_LOG

Reorganization of Application Log (DSWPJOB)

SM:REFRESH ENTRYSCREEN/ RDSMOPSOLUTIONLISTUPDATE

Update of Solution list: The status of every solution is determined for the overview list of all solutions (the access screen in Transaction SOLUTION_MANAGER) (DSWPJOB)

SM:SERVICE ASSISTANT EVENTS/ RDSVAS_EXECUTE_EVENTS


SM:HOURLY SERVICES/ RDSWPBACKGROUNDSERVICES_3


SM:UPDATE RULES/ RDSWPRULESUPDATE

A set of rules controls the services and documents that can be offered for the information about system infrastructure and processes that is maintained in the Solution Manager.(DSWPJOB)

SM:SELFDIAGNOSIS/ RDSWP_SELF_DIAGNOSIS

Update Selfdiagnosis (DSWPJOB)

SM:MIGRATE SESS DL./ RDSWP_SSA_MIGRATE_SESS_DL

(DSWPJOB)

SM:MOVE TO ARCHIVE QUEUE/ RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE

Move services and sessions to archive queue (DSWPJOB)

EMAIL_NOTIFICATION (csutomer specific)/ RSCONN01 (variant SAP&CONNECTALL)

Periodic background job to send queued e-mails (manually scheduled via transaction SCOT) -> see also IMG -> Cross-scenario settings)

SM:RFC MONITORING/ RWBA_RFC_WATCHER

To check RFC-Connections. To be run hourly or daily (recommended between 10pm and 4am).

April 2008

-

41


Us e


The job executes RFCPING or RFC_PING.

42

April 2008


Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur. System Landscape 

Update Logs



RFC Logs

Data save logs Solution Manager Implementation 



All Tabs can be traced. Each change on the tab will be recorded.



No changes of the assigned object are logged (except documents).



One can specify which project and tab will be traced.

Documentation will be versioned by each change. Solution Manager Operations 

Traces are available in Solution Directory 



All tabs can be traced. Each change on tab will be recorded. No changes of the assigned object are logged (except documents). One can specify which Solution will be traced

Documentation will be versioned by each change Customizing Distribution 



Each distribution is logged



Each distributed object is l ogged

April 2008

43


APPENDIX Security Parameters for Individual Scenarios General Remarks In the following paragraphs the main scenarios of SAP Solution Manager are described in regard to the above mentioned security parameters. For a complete description of all scenarios, see: Master Guide SAP Solution Manager . Usage data about which functionality/scenario is used by the customer is sent to SAP. See as well: SAP Note 939897 (How to disable this transfer) Service Delivery The Services Delivery scenario comprises the following main functionalities: Service Plan The Service Plan is the central instance of collaboration with SAP containing delivered Services and Services that are to be delivered later on. In this regard, customers can accept or deny SAP Services. SAP Services are sent to the customer by SAP and confirmation of Service Delivery is sent by the customer to SAP via backgroundjob or in dialog. If you do not want to send any confirmation for Services to SAP, you do not activate this functionality. If no Service Plan information is sent, SAP can only deliver limited Services. Data which is sent: - GUIDs for Service Identification Identifi cation with values YES or NO. - Delivery Date Service Plan makes use of WebDynpro Applications. Applications. In order to deliver Services a HTTP connect is needed. Expertise-on-Demand (EoD) Expertise on Demand describes the demand by a customer for an SAP expert on some topic. Solution Transfer When you transfer solutions, all productive data of your chosen solutions are transferred by default. When you made your solution known to SAP, its data are regularly updated by a backgroundjob backgroundjob.. For each individual solution you can decide whether you want to transfer only productive data, all data or no data. To disable it, see SAP Note 920153 920153.. During transfer a data download is sent to SAP via DMD_OPEN. This data package is only partially read and used by SAP. Information of logical components and business processes are bundled at SAP per customer. To view the data of a solution use report RDSMOP_VIEW_SOLUTION_XML to save (as an XML file on your desktop) the information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Solution Transfer makes use of WebDynpro Applications. Applications. Service Desk (Service Provider) and Issue Management Service Desk The Service Desk allows you to create support messages in the Solution Manager system and all connected Satellite systems (see chapter RFC Destinations), Destinations), send them to SAP, and receive replies from SAP. Communication between Solution Manager and SAP Service and Support is needed. There is also the possibility to connect Third Party Service Desks via Web Services. Information on third party service desk interface is provided in service.sap.com/solutionmanager -> Media Library -> Technical Papers -> Service Desk Web Service API Issue Management In Issue Management you can distinguish between Top Issues and Issues. Top Issues bundle Issues which contain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues are addressed towards Management. Issue data is sent via periodical backgroundjobs once a week after the initial transfer. Initial transfer is done via dialog. You can avoid sending data by deleting this job. If no data is sent to SAP, SAP Support can not deliver proactive support. For information on Top Issue data which is sent, see SAP Note 971138 971138.. To see the data of a Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to 44

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 save (as an XML file on your desktop) the information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Issue Management makes use of WebDynpro Applications. Applications. Implementation and Distribution The Implementation and Distribution scenario is used for the implementation of customer projects. This scenario includes an implementation roadmap, an editor for creating and maintaining business blueprints, access to the Implementation Guides (IMG), and tools for testing, monitoring and distributing Customizing. Communication between Solution Manager and satellite systems is needed. Satellite Systems are connected via RFC RFC.. Solution Monitorin Monitoring g The Solution Monitoring scenario provides support for functionalities such as Service-Level Reporting, EarlyWatch Alert, System Monitoring and Business Process Monitoring. Early Watch Alert contains data on system health. The data is collected automatically in the according satellite system, send via RFC destination to the Solution Manager system, and then analyzed in Solution Manager. If you want to transfer download data of a service (EarlyWatch Alert and so on) from a satellite system into a Solution Manager system, but your satellite system has no RFC connection to the Solution Manager system, see SAP Note 657306 657306.. EarlyWatch Reports are send to SAP in case of a red rating. You can deactivate these settings in transaction SOLUTION_MANAGER, Operations Setup -> Solution Monitoring -> EarlyWatch Alert (column Send to SAP ) The solution monitoring functionality allows you to monitor the state of multiple solution landscapes. SAP Solution Manager can be used to monitor the satellite systems in a landscape, as well as all the business processes running on them. Via setup of RFC connections also the according RFC destinations for system monitoring (see IMG activity in transaction transacti on SPRO: SOLMAN_ASSIGN_RFCS) are set up. Solution Monitoring makes use of WebDynpro Applications. Applications. Change Management You can use the Maintenance Optimizer to download Support Package Stacks and Support Packages for your various satellite systems. If the RFC connection to SAP or table AISUSER (S_user (S_user)) is not maintained it is not possible to download SAP Service- and Support-Packages. Currently, the Change Request Management scenario consists of a workflow for implementing urgent corrections and support maintenance. This workflow is the result of an integration between the Service Desk and SAP Change Manager. The workflow starts with the occurrence of an error. This error is reported to the Service Desk. If the error is serious enough to warrant the immediate implementation of a correction (urgent correction), a change request is created. This request is then approved, which results in the creation of a change document. Root Cause Analysis SAP Solution Manager Diagnostics provides root cause analysis of incidents in customer solutions powered by SAP NetWeaver. It provides a read access to traces and configuration settings of SAP NetWeaver components.

April 2008

45


Examples Authorization Restriction All examples are also contained in IMG documentation. Solutions (see as well IMG activity: SOLMAN_SYST_INFORMAT) Maintain One Solution and Display All Other Solutions Problem: User A needs to use Maintenance Optimizer for a number of systems which are contained in solution XXX. He/she should not be able to do anything in all other existing solutions, but should be able to see them. Solution: role SAP_SM_SOLUTION_DIS needs to be maintained with authorization object D_SOL_VSBL. D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for solution XXX. The role for Maintenance Optimizer SAP_MAINT_OPT_ADMIN is granted as well. Explanation: D_SOL_VSBL with 03 + * and 02 + gives authorization to display all solutions but only editing rights for one specific solution. Only for within the solution with editing rights the user is able to work with Maintenance Optimizer. Create Solution and Display All Problem: User A should be able to create solutions and display XXX and YYY. Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained as follows: remove activities 02 + 06 (leaving 01 + 03) for solution-IDs for XXX and YYY. Explanation: Activity 01 is independent of solution-IDs. Activity 03 grants display only for the mentioned solutions. Project Administration (see as well IMG activity: SOLMAN_RECOMMEND -> authorizations -> Project Administration) Restriction of System Landscape Problem: The system administrator creates the system landscape for your project. The project manager maintains all other data for the project, in the project administration. Your system administrator should not have access to other project data than the system landscape. Solution: In role SAP_SOL_PROJ_ADMIN_* (contained in composite role SAP_SOL_*_COMP) he/she should receive the value 03 (display) for S_PROJECT and SYST (access to system landscape maintenance in a project) for S_PROJ_GEN. Digital Signature (see as well IMG activity: SOLMAN_DIGSIG_INFORM) Restriction by Authorization Group Problem: User A may execute individual signatures to which the authorization group PROD (production) has been assigned but is not allowed to execute individual signatures with authorization group QUAL (quality assurance). assurance) . Solution: In role SAP_SOL_KW_* authorization object C_SIGN_BGR, C_SIGN_BGR, he/she is assigned authorization authorizat ion PROD for PROD for field SIGNAUTH . Document Management (see as well IMG activity: SOLMAN_DOCU_INFORMAT) Unlocking of Documents Problem: You want to allow a user to unlock documents which are locked by a status schema. Solution: This can be controlled with the authorization object S_IWB and the activity 95. Project Restriction

46

April 2008

Security Guide: SAP Solution Manager 7.0 as of SP16 Problem: You want users who are assigned to a project to only be able to search for, edit or display the documents for this project. Solution: This can be done with the combination of folder group and project authorizations. When documents are created for a project, the system puts them in a folder group which is assigned to the project, and its name, e.g. the folder group with the name is assigned to the project . You restrict the following authorization object: 

S_PROJECT with field PROJECT_ID



S_IWB and S_IWB_ATTR with field IWB_FLDGRP

Solution Monitorin Monitoring g (see as well IMG activity: SOLMAN_MON_INFORMATI) Session Restriction Problem: The authorization object D_SOLMANBU controls the allowed activities for each session (BundleID), for the scenario Solution Monitoring. You want to restrict access to the Self-Service SAP EarlyWatch Health Check . SAP delivers no default role for this session. Solution: Copy the role SAP_OP_DSWP, and give the authorization object D_SOLMANBU the BundleID EW_SELF. Monitoring Graphic Restriction Problem: You want the user to able to display the Monitoring Graphic, but no further access to alerts or CSA sessions. Solution: Solution: In role SAP_OP_DSWP in authorization object D_SOLM_ACT remove activities 80 and 81.

April 2008

47

SAP Security - Solution Manager

Recommend Documents