SECURI SE CURI TY GUI DE S A P So So l u t i o n Manager 7.0 as of SP16
Scenarios:
Target Audience
Technology consultants
System administrators administrators
Service Desk
Implementation Implementation of SAP Solutions
Upgrade of SAP Solutions
Change Management
Solution Monitoring
Delivery of SAP Services
Root Cause Analyses
April 2008
SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 3 4 20 www.sap.com
© Copyright 2008 SAP AG. All rights reserved.
JAVA® is a registered trademark of Sun Microsystems, Inc.
No part of this publication may be reproduced or transmitted in any
J2EE™ is a registered trademark of Sun Microsystems, Inc.
form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc.,
notice.
used under license for technology invented and implemented by Netscape.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,
®
®
®
®
®
®
Microsoft , WINDOWS , NT , EXCEL , Word , PowerPoint and
Management Cockpit, mySAP, mySAP.com, and other SAP products
®
SQL Server are registered trademarks of Microsoft Corporation.
and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
®
®
®
®
IBM , DB2 , DB2 Uni versal versal Database, OS/2 , Parallel Sysplex ,
several other countries all over the world. MarketSet and Enterprise
MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries,
Buyer are jointly owned trademarks of SAP Markets and Commerce ®
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere , ®
®
TM
®
Netfinity , Tivoli , Informix and Informix Dynamic Server
One. All other product and service names mentioned are the trademarks of their respective owners.
are
trademarks of IBM Corp. in USA and/or other countries. ORACLE ® is a registered trademark of ORACLE Corporation.
Disclaimer Some components of this product are based on Java™. Any code
®
®
®
®
UNIX , X/Open , OSF/1 , and Motif are registered trademarks of
change in these components may cause unpredictable and severe
the Open Group.
malfunctions and is therefore expressively prohibited, prohibited, as is any decompilation of these components.
®
®
®
®
Citrix , the Citrix l ogo, ogo, ICA , Program Neighborhood , MetaFrame , WinFrame®, VideoFrame®, MultiWin® and other Citrix product names
Any Java™ Source Code delivered with this product is only to be used
referenced herein are trademarks of Citrix Systems, Inc.
by SAP’s Support Services and may not be modified or altered in any way.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Documentation in the SAP Service Marketplace You can find this documentation at the following address: http://service.sap.com/instguides
Security Guide: SAP Solution Manager 7.0
T y p o g r a p h i c Co Co n v e n t i o n s Type Style Example Text
Represents Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation
E xa xampl e text
Emph as as iz ized wo words or p hr hras es es in b od od y text, titles of graphics and tables
EXAM EXAMPL PLE E TEXT TEXT
Name Names s of of ele eleme ment nts s in in the the syst system em.. The These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.
Example text
Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools.
Example text
Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.
EXAMPLE TEXT
Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.
Icons Icon
Meaning Caution Example
Note Recommendation Syntax
April 2008
3
Security Guide: SAP Solution Manager 7.0 as of SP16
Content Content Content ...................................................................................................................................................................... 4 History History of Changes.................................................................................................................................................... Changes.................................................................................................................................................... 5 Quick Links Links to Additio Additional nal Informatio Information n .................................................................................................................... 6 Recommendat Recommendations ions for for Additional Compone Components nts ........................................................................................................ 6 Introdu Introduction ction .............................................................................................................................................................. 8 System System Landscape Landscape ..................................................................................................................................................... 8 Network Network and Commun Communication ication Security ...................................................................................................................10 User Administr Administration ation and Authen Authenticati tication.................................................................................................................14 on.................................................................................................................14 Authorizations..........................................................................................................................................................16 Backgroun Backgroundjob djobss .......................................................................................................................................................39 Trace and Log Files..................................................................................................................................................43 APPENDIX...............................................................................................................................................................44 Security Security Parameters for Individual Individual Scenarios Scenarios ..........................................................................................................44 Examples Examples Authorizat Authorization ion Restrictio Restriction........................................................................................................................46 n........................................................................................................................46
4
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16
History of Changes This Security Guide is updated with each new Support Package Stack in SAP Service Marketplace at service.sap.com/instguides -> SAP Components -> SAP Solution Manager -> . This document is not included as part of the Installation Guide, Configuration Guide, Sizing Guide or Upgrade Guide. These guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases. phases . The Solution Manager is built on mySAP Customer Relation Management 2005 and SAP NetWeaver. Therefore, the corresponding Security Guides also apply to the Solution Manager. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below. For a complete list of the available SAP Security Guides, see the Quick Link: securityguide on the SAP Service Marketplace. Information on Solution Manager Diagnostics may not be complete in this Guide. For security topics on Diagnostics, see: service.sap.com/diagnostics -> Installation and Upgrade. Make sure you have the latest version of the Security Guide. The following table provides an overview of the most important changes that were made in the latest versions: Date of Update
Topic
SP15 06.02.2008
This Security Guide is based on the currently available Guide: Authorization Concept of SAP Solution Manager as of SP09 Topic on Authorization moved from Configuration Guide to Security Guide and/or IMG (transaction SPRO), e.g. roles moved to additional documentation in IMG documents (e.g. roles for scenario Issue Management can be found either in overview on roles in Security Guide or in more detail in the according IMG documentation for Issue Management) New roles for solution authorization. Authorization object D_SOL_VSBL is now included in roles SAP_SM_SOLUTION_*. The authorization object is deactivated in all other roles. See chapter: Roles in Solution Manager. for an overview. It needs to be granted in addition to the role for the functionality, e.g Maintenance Optimizer. See examples in the APPENDIX New roles for:
Job Scheduling
Issue Management
Maintenance Optimizer (additional) See chapter: Roles in Solution Manager.
New roles for Work Center approach, see chapter Work Center Roles and the according example. Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. See chapter Communication Destinations. Destinations. SP16
New roles for: - Solution Documentation Assistant See chapter: Roles in Solution Manager. and chapter Work Center Roles - Third Party Product: BMC AppSight for SAP Client Diagnostics See chapter: Roles in Solution Manager.
28.04.2008
Name change: SAP Solution Manager 4.0 becomes SAP Solution Manager 7.0
April 2008
5
Security Guide: SAP Solution Manager 7.0 as of SP16
Documentation Documentation types in the software life cycle:
For a detailled overview on which documentation is relevant for each individual phase, see SAP Note 1088980. 1088980. We strongly recommend that you use the documents available here. The guides are regularly updated.
Quick Links to Additional Information Content
Note... Security
service.sap.com/security
Security Guides
service.sap.com/securityguide
Related SAP Notes
service.sap.com/notes
Technical infrastructure/ Network security
service.sap.com/network
SAP Solution Manager
service.sap.com/solutionmanager
Recommendations for Additional Components The following table lists further useful information for additional components: Content
Note...
Diagnostics
See the according documents for installation and configuration service.sap.com/diagnostics
System Landscape Directory
service.sap.com/sld
Software Lifecycle Manager
service.sap.com/slm
Adobe Document Services
service.sap.com/adobe
Business Intelligence
service.sap.com/bi
6
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 SAP Quality Center by HP
service.sap.com/solutionmanager
SAP Redwood Job Scheduling
service.sap.com/job-scheduling
Master Guide SAP NetWeaver 7.0
service.sap.com/installNW70
One Transport Order Help on Application Usage for Solution Manager; Links to further documentation for SAP NetWeaver, SAP Business Suite Help on SAP NetWeaver (ABAP and Java) for additional components
April 2008
service.sap.com/solutionmanager -> Media Library -> Technical Papers help.sap.com
help.sap.com/nw70 -> Functional View -> Solution Lifecycle Management -> Software Lifecycle Management
7
Security Guide: SAP Solution Manager 7.0 as of SP16
Introduction This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations. With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Solution Manager.To assist you in securing SAP Solution Manager, we provide this Security Guide. Therefore, when analyzing the security risk for Solution Manager and your system landscape, you should be able to answer the following questions:
What are your security requirements in regard to availability, confidentiality and data integrity?
Are there any threads (and their relevance) that could compromise your security?
What are the measures (and costs) that are to be undertaken to safeguard the system?
System Landscape Architecture Solution Manager is working with the ABAP and the Java (Solution Manager Diagnostics only) stack. It is running on a SAP CRM-5.0 Server. To use Solution Manager you need SAP GUI or Web Browser (in case of work center functionality). Communication with other systems is working via RFC technology and via Web Services. For more information on the appropriate usage types, see Master Guide Solution Manager on service.sap.com/instguides -> SAP Components -> SAP Solution Manager -> . The figure below shows an overview of the the technical system landscape for the Solution Manager (including its satellite systems and SAP Service and Support). Content Devel opment at S AP
Solution Manager System
SAP Se rvice & Suppo rt
R
R
Business Process Repository (BPR)
Support Desk SAP Solution Manager
Service Delivery
R
R
R
R Product Planning and Maintenance System (PPMS)
R
Software Lifecycle Management (SLM)
R
Master Component Repository (MCR)
R
R
R
System Landscape Directory (SLD)
R
Change Request Manager
Knowledge Warehouse (KW)
Problem Message Handling
CRM Server R
R R
SAP Change Manager
Computing Center Management System (CCMS)
Satellite System(s) Process Management Infrastructure (PMI)
8
Computing Center Management System (CCMS)
Service Data Control Center (SDCC)
Implementation Guide (IMG)
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Scenarios Solution Manager is a tool which supports your whole product life-cycle, that is the life-cycle of your business processes and systems within ONE single system/platform. According to these aspects of the product lifecycle, various scenarios can be differentiated. A scenario describes a grouping of functionalities which support the sequential and logical relationships of processes within the life-cycle of the product. Therefore, we differentiate between scenarios (e.g. 1. Implementation/Upgrade of SAP Solutions), processes (e.g. Roadmap) and additional functionalities (e.g. Document Management). Implementation/Upgrade of SAP Solutions Roadmap Project Management Business Blueprint Configuration
Solution Monitoring
Test M an ag emen t
Earl yW atch Alert
E-L ear ning
Ser vic e Level Report ing
S ol oluti on on Doc um umentati on on Assistant
System Ad mi ministr at ati on on
Change Management
System Monitoring
Mainten anc e O pti mizer
Bus. Pr oc ess Monitori ng
Ch ang e Requ est Managemen
Sol ution Rep orti ng Job Scheduling
Service Desk Service Desk Standard Usage
Delivery of SAP Services
Servic e Pr ovid ers
Issu e Man agement
Third P art y Int erf ac e
Onsite/Remote S ervic e
Root Cause Analyses
Service Plan Expert-on-Demand
------------------------------------------------------------------------------------------------------------------------PLUS System System Landscape Landscape (SMSY) Service Data Control Center (SDCCN) Solution Solution Design (SOLMAN_DIRECTORY) (SOLMAN_DIRECTORY) Customizing Distribution Rollout Work Center BI - Analysis Third Party Product Integration
April 2008
9
Security Guide: SAP Solution Manager 7.0 as of SP16
Network and Communication Security Network Topology Your network infrastructure is extremely important in protecting your system. It needs to support the communication necessary for your business and your needs without allowing unauthorized access. A welldefined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager. Communication Communicati on Channels The table below shows the communication channels used by the Solution Manager, the protocol used for the connection, and the type of data transferred. Communication Communication Channel
Protocol used
Type of Data transferred
S ol uti on Man ager to OSS
RFC
E xchan ge of Pr oblem mess ages, Retr i eval of Services
Solution Manager to OSS Secure Area
HTTP(S)
Logon data to systems opened for SAP Support
Solution Manager to Satellite Systems and back
RFC
see chap ter RFC connections
Solution Manager to SAP Service Marketplace
HT TP(S)
S earc h f or not es
Solution Manager Support Desk to Third Party Support Desks
SOAP
Pr ob lem Mess ages
S ol ution Manager to Qu ality Center b y HP
SOAP
Test R equirements
10
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16
Communication Destinations The figure below shows an overview of the communication destinations used by Solution Manager (including its satellite systems, Third Party Products and SAP Service and Support):
SA P
Customer http (s)
SAP SMP
http (s) SAP System s
RFC BPM_LOCAL_ RFC RFC RFC OSS (O01)
SA P Solution
SAPOSS SAP-OSS
Manager
SAP-OSS-LIST-O01 SDCC-OSS Third Party Products
SM_CLNT_LOGIN SM_CLNT_READ SM_CLNT_TRUSTED SM_CLNT_TMW
RFC SM_CLNT_BACK
The table below shows an overview of communication destinations used by the Solution Manager for RFC communications. RFC Destination Name
Target Host Name
System Number
Logon Client
Logon User (Password)
Use (S (Scenario)
How Cr Created
Notes As Assistant
Maintain te tech nic al settings in transaction “OSS1”
To SAPNet R/3 Frontend SAPOSS (ABAP /H/SAPROUTER connection) /S//sapserv /H/oss001
01
00 1
OSS_RFC (CPIC)
SAP-OSS (ABAP /H/SAPROUTER connection) /S//sapserv /H/oss001
01
00 1
S-Us er (Customerspecific)
SAP-OSS-LIST- /H/SAPROUTER O01 (ABAP /S//sapserv connection) /H/oss001
01
00 1
S-Us er (Customerspecific)
Retrieve information about which messages have been changed at SAP (Scenario: Service Desk)
Transaction SM59
(will be generated) See
Used by the Service Data Control Center to
A copy of the SAPOSS
SDCC_OSS (ABAP connection)
April 2008
Exchange problem messages messages Transaction with SAP (Scenario: Service SOLUTION_MAN Desk); Synchronize System AGER; Menu path: Edit->Global Data with Support Portal and Settings send data about satellite systems (SMSY); Transfer of Solution, Issue data transfer feedback to SAP (Scenario: Service Delivery); Service Connection
11
Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Destination Name
Target Host Name
System Number
Logon Client
SAP Note 763561
SAPNET_RFC /H/SAPROUTER (ABAP connection) /S//sapserv /H/oss001
01
SAP-SMP (HTTP Target host: connection) websmp230.sapag.de; Service no. 80; Path prefix: /sap/bc/bsp/spn/ swdc/slm/ SAPNET_RTCC /H/SAPROUTER (ABAP connection) /S//sapserv X/H/oss001
01
Use (S (Scenario)
Logon User (Password)
00 1
OSS_RFC (CPIC)
00 1
S-Us er (Customerspecific)
00 1
OSS_RFC (CPIC)
How Cr Created
communicate with the SAP Net destination to R/3 Frontend system; Update SDDC_OSS; a Service Definitions (Sc enarios: enarios: new user is used Solution Monitoring for EWA SDCC_NEW with and Service Plan) Password: download. Send EarlyWatch Alerts (Scenarios: Solution Monitoring for EWA and Service Plan)
A copy of the SAPOSS destination to SAPNET_RFC
To send an up-to-date version Transaction SM59 of the component ST-SER for delivery of Services by SAP Active Global Support (Scenario: Service Delivery)
Service Preparation Check (RTCCTOOL) (Scenario: Service Delivery)
Created automatically by RTCCTOOL. copy of SAPOSS
_/sapserv /H/oss001
01
00 1
S-Us er (Customer specific no authorization needed)
Service Desk -> Value Added Reseller
You automatically create customer RFCs based on RFC SAP-OSS via SAP-OSS via Report
To Satellite System from Solution Manager System SM_CLNT_LOGIN (ABAP connection)
Custo Custome merrspecific
Customerspecific
empty
SM_CLNT_READ (ABAP connection)
Sate Satelllite lite Systemspecific
Satellite System specific
Default user: SOLMAN (will be generated)
for read access Scenarios: Solution Monitoring and Implementation and Distribution
Transaction SMSY
SM_CLNT_TRUSTED (ABAP connection)
Sate Satelllite lite Systemspecific
Satellite Systemspecific
empty
Log on thr ough a trusted connection
Transaction SMSY
SM_CLNT< Satellite System Satellite client>_TMW Systemspecific (ABAP connection)
Satellite System specific
E xec ute Tr ans acti ons
Transaction SMSY
Scenarios: Solution Monitoring and Implementation and Distribution
Scenarios: Solution Monitoring and Implementation and Distribution Default user: For creating, releasing SOLTMW transport requests (will be generated)
Transaction SMSY
From Satellite System to Solution Manager System SM_CLNTBACK Manager System specific (ABAP connection)
Customerspecific
Default user: Send Service Desk messages, Transaction SMSY SOLMAN send session data, check locked customizing objects (will be generated) Scenarios: Service Desk, Solution Monitoring and Implementation and Distribution
Local System (Solution Manager)
12
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Destination Name
Target Host Name
System Number
BPM_LOCAL_ (ABAP connection)
empt y
em p t y
Logon Client
Logon User (Password)
Use (S (Scenario)
How Cr Created
Cli ent us ed SM_BPMO Business Process Monitoring During Business (Scenario: Solution Monitoring) for Business (CustomerProcess specific) Monitoring Setup Process Monitoring SAP_SM_BPMO _COMP includes SAP_SM_S_CS MREG (acc.to profile: S_CSMREG), SAP_SUPPDES K_CREATE and SAP_IDOC_EVE RYONE CSMREG
CCMSPING.
Service Level Reporting with CCMSping (Registered Server Program-> ProgramID:.ccmsping .00)
You can find the current list of all ports used by SAP in the following document "TCP/IP Ports Used by SAP Applications". You can find the document in SAP Service Marketplace: service.sap.com/ security security -> Security in Detail -> Infrastructure Security. The following table displays all used TCP/IP Default Ports for Solution Manager Diagnostics: System ABAP Gateway
HTTP Port of J2EE Engine P4
Ports used on Solution Manager Diagnostics Server
Open in SAProut tab
5nn00 (nn: instance no. of managed system), e.g. 50200
X
33nn (nn: instance no.), e.g. 3301 5nn00 (nn: instance no. of SMD), e.g. 50100 5nn04 nn: instance no. of SMD), e.g. 50104
Database Introscope
6001 (Listener port)
LoadRunner
5001 (Load Generator)
J2EE standalone logviewer
Ports used on each monitored Satellite System
depends on DBMS, e.g. 1433 on MS SQL Server 6001 26000 For details, refer to Advanced Diagnostics Setup Guide
SSL (Secure Socket Layer) for HTTP - Connections BSP Applications and WebDynpro technology Interfaces maintenance such as BSP and WebDynpro need HTTP/S. Web Dynpro for ABAP or Web Dynpro for ABAP (WD4A, WDA) is the SAP standard UI technology for developing Web applications in the ABAP environment. Most scenarios in Solution Manager use either BSP or WebDynpro technology. The Internet Communication Framework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAP system (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) to operate communications between systems through the Internet. You do not need any additional SAP program libraries (other than the SAP Web Application Server). The only condition is that your system platform is Internet-compliant. This scenario gives you a maximum amount of flexibility in responding to varying communication requirements. Communications operated through the ICF have the following benefits:
Increased security: The HTTPS protocol guarantees secure data transmission at the same level as modern security standards for RFC/SNC communication and other interfaces.
April 2008
13
Security Guide: SAP Solution Manager 7.0 as of SP16
Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the Internet from any location. After you install the Web Application Server, all Internet Communication Framework (ICF) services are delivered as inactive for security reasons. To activate them, see IMG for Solution Manager -> Basic Settings -> Standard Configuration -> Activate HTTP Services (transaction SPRO).
Reduced technological barriers: The open HTTP standard is used worldwide, which makes it efficient to install and configure. Setting up SSL
It is strongly recommended to set up SSL for NetWeaver AS and Java (e.g. Maintenance Optimizer and SLM it is necessary). See: Online Help on System Security for SAP Web AS ABAP and Java on Java on service.sap.com/security -> Media Library -> Literature.
Relevant information sources Information Source
Note
SAP Note 510007
Setting Up SSL on the Web Application Server (Procedure on how to set up SSL)
SAP Note 1000000
Web Dynpro ABAP FAQ (General authorization checks for services and application are available over the ICF)
SAP Note 938809
Web Dynpro ABAP checklist for creating problem mesasges (If you create an error message for WebDynpro ABAP under component BC-WD-ABA, see the checklist in SAP Note)
SAP Note 810159
Subsequent installation of SAP JAVA CRYPTO TOOLKIT
Application help for security topics connected connected to ICF - Services
help.sap.com/nw2004s
Installation Guide
service.sap.com/instguides -> SAP Components -> SAP Solution Manager .
System Security for SAP Web AS ABAP and Java (Help Java (Help on setting up system security for ABAP and Java)
service.sap.com/security -> Media Library -> Literature
HTTP Connect Service for SAP Support Due to the firewall between customer systems and SAP systems it is not possible to display pages of BSPs or WebDynpro applications in SAP Solution Manager using standard Service or Support connections. To receive Support from SAP for these technology types you need to set up an HTTP Connect Service. To do so, follow the descriptions in SAP Note: 1072324 1072324.. You need to maintain this connection for onsite and remote support. To secure this HTTP to remote support you should secure with HTTPS.
User Administration and Authentication General The Solution Manager uses the User Management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP Web Application Server ABAP. If you use the Solution Manager Diagnostics, the user management and authentication mechanisms provided with the SAP Web Application 14
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Server Java are used, too. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and the SAP NetWeaver Application Server Java Security Guide also apply to Solution Manager. User Management Tools User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver Application Server ABAP and Java, for example, tools (ABAP: SU01 and Java: UME), user types, and password policies. For an overview of how these mechanisms apply for the Solution Manager, see the sections below. In addition, we provide a list of the standard users required for operating the Solution Manager. As the mechanisms provided by the SAP NetWeaver Application Server Java only apply for Solution Manager Diagnostics consult the according Guide on service.sap.com/diagnostics . Standard Users The table below shows the standard users that are necessary for operating the Solution Manager. Logon User (Password)
Use
OSS_RFC (CPIC)
N otes Assistan t
S-User (Customerspecific)
Exchange problem messages with SAP; Retrieve information which messages have been changed at SAP
SOLMAN (Customer-specific)
For Read access; Scenarios: Solution Monitoring, Implementation and Distribution; Service Desk; Change Management
Transaction SMSY, automatically generated
See chapter: chapter: RFCConnections READ, TMW, BACK
SOLTMW (Customer-specific)
Change R eq uest Man ag emen t
Trans acti on SMS Y, automatically generated
See chapter: RFCConnections READ, TMW, BACK
Transaction SMSY, automatically generated
See chapter: chapter: RFCConnections READ, TMW, BACK
RZ10
S ee chapter: RFCConnections READ, TMW, BACK and Background Users
SOLMAN<_Version> (Customer-specific) CSMREG (Customerspecific)
For data collection (to get CCMS alerts)
How Created
Required Roles (Authorizations)
The S-user for the SAP See chapter: S-User Support Portal is requested via authorizations www.service.sap.com.
Only required if SMSY is not used to generate RFC destinations; Business Process Monitoring; required, if CCMSPing for Service Level Reporting in scenario Solution Monitoring is used
OSS_R OSS_RFC FC (CP (CPIC IC))
Note Notes s Assista Assistant nt ; Up Updat date e Service Service Defin Definit ition ions; s; Service Preparation Check (RTCCTOOL)
SLDAPIUSER (Customer-specific)
To send data from SAP Solution Manager to SLD
Duri ng instal lati on
-
SAPJSF (S er vic e Us er)
To r ead d ata fr om SLD
Duri ng inst al lati on
SAP_B C_JSF _COMMUNICAT ION_RO
Duri ng ng in inst al al la lat io ion
SAP_B C_ C_ AI AI_ LA LANDSC AP APE _D _D B_RFC; SAP_J2EE_ADMIN
Duri ng instal lati on
SAP_J2 EE_GU EST
Service User J2EE_ADMIN (Customer-specific)
Context: Application integration infrastructure (SLD): (SLD): User, who is able to write on the database tables of the SAP System Landscape Directory (SLD). User who makes the RFC calls from the SLD. Context: J2EE Administration; user who has administrator rights in a connected SAP J2EE Engine. Engine. Used to attach a l ocal UME to the central ABAP user management.
Service User J2EE_GUEST
Users who have guest authorizations in a connected SAP J2EE Engine. Engine.
(Customer-specific)
April 2008
15
Security Guide: SAP Solution Manager 7.0 as of SP16 Integration into Single Sign-On Environments (SSO) SAP Solution Manager uses different front ends (SAP GUI and Web browser - in this case, an HTML Control). Multiple sessions are opened on the server that require, for example, a second logon. The user uses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSP application, and the system then prompts the user to reenter the logon data. The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide (SAP Library) also apply to the SAP Solution Manager. The supported mechanisms are listed below:
Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls. For more information, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Security Guide.
SAP logon tickets The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. In this case, users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the system as an authentication token each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
For more information on how to use Single Sign-On on the SAP Service Marketplace go to: service.sap.com/sso-smp.
Authorizations Authorization Concept in General For ABAP Systems Authorizations can be displayed by roles (for systems with Basis >= WebApplication Server 6.10) or profiles (for systems with Basis =WebApplication Server 6.10, 6.10 , an authorization is based on specific transactions and so-called authorization objects which are inherently connected to these transactions or programs. Authorization objects consist of authorization fields. A role is always assigned to one or more authorization profiles by the profile generator (transaction PFCG). As of basis release
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 SAP Solution Manage Managerr Authorization Concept This paragraph covers information on general concepts in regard to roles and authorizations. In this respect, it refers to both background users and automatically applied profiles as well as the individual scenarios and the roles used which are relevant for SAP Solution Manager and its satellite systems. Before starting to assign any roles to users, you are strongly adviced to create a thorough authorization concept. The roles mentioned in this document are delivered by SAP as template roles with a number of default values, which you need to customize according to your individual needs. All values that are generic and individual for your company, you have to maintain according to your authorization concept. The SAP Solution Manager authorization concept is based on the overall SAP authorization concept which is relevant for all SAP systems. As SAP Solution Manager 7.0 is based on SAP Netweaver Application Server (Application Server ABAP and Application Server Java), we recommend that you configure the User Management Engine of the Java application to use the ABAP user management (transaction SU01) of the Application Server ABAP (see SAP Reference Implementation Guide; transaction SPRO).The UME of the Application Server Java is configured against the user management of the Application Server ABAP. SAP role assignments appear as user-to-group assignments in the UME administration console. Therefore, you have to have set up UME groups, which correspond to roles of the Application Server ABAP (PFCG roles). In the UME administration console, you cannot assign users or groups to the groups that correspond to SAP ABAP roles. These groups are read-only in the J2EE engine, with the exception that you can assign UME roles and security roles to them. The following figure illustrates the integration of J2EE Engine security roles, UME roles, and SAP roles. Object
Recommended Tool
Users
Use transaction SU01 in the ABAP system(s).
PFCG roles
Use the Profile Generator (transaction PFCG) in the Solution Manager system.
J2EE security roles and UME roles
(Only applies to Java application) Use the UME administration console to manage UME roles and the Visual Administrator of the Application Server Java to manage J2EE security roles. roles. Both of these tools are part of Applicat A pplication ion Server Java. To integrate the Java-based authorizations supplied by J2EE security roles and UME roles with PFCG roles, you can integrate PFCG roles as groups in Application Server Java.
RFC Connect Connection: ion: Trusted To work with a heterogeneous system landscape with SAP Solution Manager as the managing platform you need to create RFC connections between SAP Solution Manager and the various Satellite systems (component systems). The appropriate Satellite or component system needs to be made known in the SAP Solution Manager Manager system as so-called “Trusted “Trusted System” and vica versa. versa. In other words, words, the server system "trusting system" (SAP Solution Manager system) trusts the user administration of the client system "trusted system" (Satellite system). Trusted systems can log on to the so-called “Trusting System” without password. User specific data are controlled in the trusting system. This is called a trusting trusted RFC connection. You generate this RFC connection in the SAP Solution Manager within the transaction SMSY. Trusted RFCs need to be maintained from both sides, that is Solution Manager to Satellite system and Satellite system to Solution Manager system. In order to communicate successfully with each other both SAP Solution Manager and the appropriate Satellite system need to have the same username created username created in their user administration (transaction SU01).
April 2008
17
Security Guide: SAP Solution Manager 7.0 as of SP16
If you use SAP router between Solution Manager and satellite systems you might have problems in some functiona f unctionalities, lities, e.g:. BSP Applications. RFC which should open a new window (session). To solve these issues, see SAP Note 555162 Authorization Object S_RFCACL To be able to create the trusted RFC connection you need to have the authorization object S_RFCACL assigned in the Solution Manager and in the Satellite system for this current user. The role SAP_S_RFCACL (as of SAP NetWeaver Application Server 7.00) contains the authorization object S_RFCACL which consists of a number of authorization fields which allow a trusting trusted relation between SAP Solution Manager and any Satellite system. Due to the high potential risk of such an RFC connection the authorization object S_RFCACL is not included in SAP_ALL. In order to restrict user access you need to maintain for this authorization object field "RFC_US "RFC_USER" ER" with the value ' '. The trusting RFC destination usually has the 'Current User' setting in SM59. Fore more information, see: help.sap.com/nw70 help.sap.com/nw70.. Authorization errors in the usage of an RFC destination with set 'Trusted Systems' indicators are documented by the following message: "No Authorization to logon as Trusted System (Trusted RC = #). Every authorization error when using an RFC Destination with a set 'Trusted Systems' indicator is designated as a RABAX (ABAP Exception). This RABAX contains detailed error information. Proceed as follows to analyze the error: 1. Choose Transaction ST22 and the desired selection period. 2.
Choose the corresponding entry under under the User SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. In the paragraph, 'Troubleshooting' you will find all the necessary information to correct the error.
Return code Returncode
explanation
To do
0
Invalid logon data (user and client) for the Trusting System
Create a corresponding user in the Client system for the user in the Server System (Trusting System)
1
The calling system is not a Trusted System, or the security ID I D for the System is invalid.
Create the Trusted RFC again.
2
The user has no authorization containing the authorization object S_RFCACL or is logged on as the protected user 'DDIC' or SAP*'.
Either supply the user with the corresponding authorization or do not use the protected users 'DDIC' or SAP* (see profile paramter and value: login/no_automatic_user_sapstar = 0)
3
The time stamp of the logon data is invalid.
Check the system time on the client and on the server and the validity date of the logon data. The system times of both systems have to be synchronised.
Now, you can start to setup your system landscape with SAP Solution Manager as the central platform.
18
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 RFC Connections READ, TMW, BACK Before you can use all mentioned scenarios you need to set up your System Landscape in the Solution Manager, which includes:
defining all your systems (referred to as Satellite systems),
creating appropriate logical components,
assign your Satellite systems to the logical components,
set up your solution design.
The transfer of data between SAP Solution Manager and its Satellite systems is managed by according RFC connections:
READ (SM_ (SM_CLNT< CLNT Client> _READ): _READ): Used for transfer of data, eg. in Customizing Distribution, Change Request Management, Service Desk, Root Cause Analysis, Monitoring. SID and Client refer to the connected satellite system. TMW (SM_ (SM_< SID>CLNT< CLNT Client> _TMW): _TMW): Used for Change Request Management, used to allow remote creation of transport requests with tasks for the designated developers in the development systems. SID and Client refer to the connected satellite system. TRUSTED (SM_ (SM_CLNT< CLNT Client> _TRUSTED): _TRUSTED): Enables e.g. customizing data transfer from the source to the target system and to enter analyses transactions for System Monitoring and Business Process Monitoring (as described in chapter: RFC Connection: TRUSTED). TRUSTED). SID and Client refer to the connected satellite system. BACK (SM_ (SM_CLNT< CLNT Client> _BACK): _BACK): Used to send SDCCN data or send messages from a satellite system to the SAP Solution Manager system; to check locked customizing objects against changes in scenario Customizing Distribution; provides integration of Change Request Management into the Service Desk. This RFC destination needs a functioning READ destination. SID and Client refer to the SAP Solution Manager system.
In order to create them as easily as possible, the system generates so-called automatically created background users for the appropriate RFC connection needed, when you execute the RFC generation in transaction SMSY. These users are automatically assigned the according profiles to allow a smooth data transfer. In the following screen shot you can see three screen partitions:
RFCs from the Solution Manager to the Satellite system
RFCs from the Satellite system to the Solution Manager
RFCs that are to be generated, including RFCs for System Monitoring: information retrieval via the RFC Destination for Data Collection and Collection and analysis via RFC Destination for Analysis.
April 2008
19
Security Guide: SAP Solution Manager 7.0 as of SP16
As you can see for the READ, TMW and BACK RFC connections, the system provides you with a user, which will automatically be created in the Satellite system as soon as you generate this RFC connection. These users are also automatically assigned the according profiles. In case you want to use an already existing user of your Satellite system, you would enter this user and specify the password or not. In this example, DT1 CLNT 800 is the Solution Manager system and ID3 CLNT 800 is the Satellite system, users and password will be automatically generated by the system.
20
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Profiles Assigned to Background System Users User
Role (Re leas e >= 6.10) in Satell ie system
Profile (< 6.10) in Satellite system
SOLMAN
SAP_S _CUS _CMP
S_CUS _CMP
D at a read acc ess
SAP_S_CMSREG
S_CMSREG
Centr al s ystem rep osi tor y data
SAP_S_BDLSM_READ
S_BDLSM_RE AD
SAP_SATELLITE_E2E
S_AI_SMD_ E2E
End- to- En d Diag nos e (S ol ution Manager Diagnostics)
SAP_SM_S _USER_GRP
S_USER _GRP
Us er Gr oup Displ ay of all us ers for Licence Administration Workbench (LAW) and Business Partner
SOLTMW
SAP_S _CUS _CMP
S_CUS _CMP
D at a read acc ess
SAP_S_CMSREG
S_CMSREG
Centr al s ystem rep osi tor y data
The most important task of the background user is to create and release transport requests and tasks remotely from Change Request Management. Requests that are created in this way are known to Change Request Management, which means that Change Request Management can control the distribution of these requests within the landscape.
SAP_S_BDLSM_READ
S_BDLSM_RE AD
R ead SDCCN data
SAP_S_TMW _CREATE
S_TMW _CREATE
for cr eatin g an d rel easing transport requests in development systems as well as for setting the project status switch for creating transport requests
SAP_S_TMW _IMPORT
S_TMW _IMPORT
for im imp or ting tr tr ansp ort re requ ests into test systems (empty)
SOLMAN<_Version>
SAP_S _CUS _CMP
S_CUS _CMP
D at a read acc ess
SAP_S_CMSREG
S_CMSREG
Centr al s ystem rep osi tor y data
SAP_SV_ FDB_NOT IF_BC_ADMIN
SDCCN data
S ervic e Desk Mess ag es
SAP_S UPPDE SK_CREATE SAP_S_BDLSM_READ
Purpose
S er vic e Desk Mess ag e Cr eation S_BDLSM_RE AD
SDCCN data
1
These profiles are more or less static. You will also find the corresponding roles (SAP_), which you would have to assign manually to the created users. These can easily be maintained. In case of RFC problems after generation, see SAP Note 176277 176277:: Generating RFC trace information. Authorization Authorizatio n Object S_RFC to Call Function Groups For certain scenarios certain function groups are needed. In order to start RFC functions from certain function groups, users need to have the authorization object S_RFC in the trusting system (SAP Solution Manager system) as server system which is included in the according roles for the individual scenarios (see later chapters). For instance, the "SYST" function group is needed to call a system. In case it is missing, executing the remote login in SM59 causes the "RFC_NO_AUTHORITY" ABAP runtime error in the target system.
1
Requests that are created, released, or imported locally cannot be identified by Change Request Management in conjunction with a change request and are therefore not part of the Change Request Management transport control and distribution process. For this reason, we recommend that no users (apart from administrators) have authorization to create transport requests or tasks in Change Request Management-controlled clients.
April 2008
21
Security Guide: SAP Solution Manager 7.0 as of SP16 It is also needed in the Satellite systems. Authorization object S_RFC in the Satellite system is included in the automatically generated profiles. The following table gives you an overview of the appropriate field values for the field RFC_NAME needed for authorization object S_RFC in: S_CUS_CMP S_CSMREG D_SOLMAN_RFC S_RFC Profile
Function Group Values in Field RFC_NAME
S_CUS_CMP
S ee SAP Note attac hment: 831535
S_CS MREG
S ee SAP Note attac hment: 831535
D_SOLMAN_RFC
S ee SAP Note attac hment: 831535
Authorization Roles and Profiles in the SAP Solution Manager System Due to the system landscape of SAP Solution Manager System and Satellite Systems, it is necessary to assign users with corresponding roles in the SAP Solution Manager including Diagnostics as well as in the Satellite System (so-called Managed Systems in respect to Diagnostics). As most of the mentioned scenarios include actions in the SAP Solution Manager as well as information and data exchange from/to SAP Solution Manager and its Satellite systems, we differentiate for each scenario and process between roles for the SAP Solution Manager and corresponding roles (systems roles (systems with Basis >= Web Application Server 6.10) or profiles (systems with basis < Web Application Server 6.10) in the various Satellite systems. systems.
For details on all roles concerning Diagnostics, refer to Diagnostics Guides on the SAP Service Marketplace: service.sap.com/diagnostics Installation and Upgrade Guides. The table below provides an overview of the roles and profiles for SAP Solution Manager system. For the Application Server Java, the default user store is the ABAP database, thus users have to be created within transaction SU01 only.
For the according scenarios, users have to be also assigned in the Satellite Systems with the corresponding roles. Solution Manager roles (for individual examples, see APPENDIX -> Examples Examples)) Sce nari o/Functionality
Role
Purpo se IMPLEMENTATION AND DISTRIBUTION
See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_RECOMMEND) for the scenario Implementation and
SAP_SO L_PM _CO MP 1)
Comp os ite r ole: Org anizing and p lanning a proj ect
Upgrade
SAP_SO L_AC_CO MP 1)
Comp os ite r ole: Cr eate Business c onten t and the documentation of operational activities
SAP_SO L_BC_CO MP 1) 1)
Comp os ite ro role: De Development of of cu customer-s pecific programs and authorizations
SAP_SO L_TC_CO MP 1)
Comp os ite r ole: Inst al li ng s ys t ems an d pro viding technical support
SAP_SO L_RO_CO MP 1) 1)
Comp os ite r ole: Re Read- only au auth orizations ffo or SA SAP Solution Manager
SAP_SO L_RE_CO MP 1)
Comp os ite role: R ead us er acc or di ng to st at us (document management)
SAP_ SAP_SO SOL_ L_LE LEAR ARN NING_ ING_M MAP_D AP_DIS IS
For For res resttricte icted d aut autho hori riza zati tion on for for use userr
22
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nari o/Functionality
Role
Purpo se SOLARSERVICE, which is used for accessing HTTP services in the Solution Manager without login, e.g. for displaying HTML Learning Maps (1); see Basic settings in IMG.
Test Workbench (Workflow) (Extended Traceability package) See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_TEST_WF_INFO) for the scenario Changing of Roadmaps
E-Learning Management
Solution Documentation Assistant 4)
SAP_DMDDE F_DIS
For r estric ted auth ori zation for us er SOLARSERVICE, which is used for accessing HTTP services in the Solution Manager without login, e.g. for displaying HTML Learning Maps (1)
SAP_ SAP_ST STWB_ WB_WO WORK RKF FLOW_C LOW_CR REATE EATE
Use Use Work Workfl flow ow
SAP_ SAP_ST STWB_ WB_WO WORK RKFL FLO OW_ADM W_ADMIN IN
Admi Admin n Work Workflo flow w, Autho Authori rity ty to creat create e Bus Busin ines ess s Partner
SAP_STW B_ B_W ORKFLOW _D _DIS
Display W or orkfl ow
SAP_R MD MDE F_ F_R MA MAUT H H_ _ EX EXE
F or or ad mi mi ni nis ttrr a att or or pur p po os e es s: ch ha an ge ge of r o oa ad ma maps (needs to be granted in addition to SAP_SOL_*_COMP)
SAP_R MD MDE F_ F_R MA MAUT H H_ _D IS IS
F or or disp la lay pur p po os e es s : d is is p pll ay ay of r o oa ad ma maps . (n ee eed s to be granted in addition to SAP_SOL_*_COMP)
SAP_SO L_ L_TRAIN IN ING_AL L
Sin gl gle role (i nc nclu de ded in SAP _S _SOL* Composite r ol ol es es), needed to use E-Learning Management tool.
SAP_SO L_ L_TRAIN IN ING_EDIT
Sin gl gle ro role (i (i nc nclu de ded in in SA SAP _S _SOL* Co Composite ro rol es es), needed to use E-Learning Management tool.
SAP_SDA_ AL L
Ful l auth or i zat ion: n eeds to be added to acc or ding composite Implementation role (SAP_SOL_*_COMP) and Work Center role
SAP_SDA_DIS
Display authori zati on: ne eds t o b e add ed t o according composite Implementation role (SAP_SOL_*_COMP) and Work Center role
GENERAL INFRASTRUCTURE see IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_SYST_INFORMAT) Basic Settings -> System Landscape Solution Directory
System Landscape Maintenance (SMSY)
Solution
SAP_SOL MA MAN_DIRECT OR OR Y_ Y_ AD ADMIN
Ad mi minister Da Data in in S ol olu tition Di Dir ec ector y
SAP_SOL MAN_DIRECT OR Y_ EDIT
Maintai n Da Data in in So Sol ution Di Dir ectory
SAP_SO L LM MAN _D _DIRECT OR OR Y_ Y_D IS ISP LA LA Y
Dis p pll ay ay D at at a in S ol olut io ion D irir e ec c tto or y
SAP_SMSY_A LL
Full author i zati on f or tr ans acti on SMS Y, maintenance of systems, servers, databases and logical c omponents omponents
SAP_SMSY_DISP
Display au thori zati on for tr ans action SMSY
SAP_SM_SOL UTION_AL L
Ful l author i zat ion f or s olu ti ons
SAP_S M_SOL UTION_DIS
Display auth ori zati on for s ol utions
SERVICE DESK Service Desk-Messages
April 2008
SAP_S UPPDE SK_ ADMIN
Aut hor izati ons need ed t o c onfigu r e the S er vic e Desk. In addition, it contains the authorizations for the roles SAP_SUPPDESK_PROCESS, SAP_SUPPDESK_DISPLAY, and SAP_SUPPDESK_CREATE,
SAP_S UP UPPDE SK SK_ PR PROCESS
Aut ho hor iz izati on ons ne need ed ed f or or m es es sa sag e (n ot otif ic ic a atti on on) processing, including the use of the solution database
SAP_S UP UPPDE SK SK_CREATE
Create sup po port mess ag ages fr om om the s at atell itit e s ys ystems or in the central SAP Solution Manager system. If a generic RFC user is used to create notifications in the SAP Solution Manager system (that is, the user is specified in the RFC destination in transaction SM59 in the satellite systems), the role will only need to be assigned to this generic RFC user.
SAP_SUPPDE SK_DISP LAY
Display us er
23
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nari o/Functionality
Role
Purpo se
Service Provider/Value Added Reseller
SAP_SUPPCF _ADMIN
Ad ministr ator auth ori zation f or cr eati ng and 834534.. processing, and IMG, see: SAP Note 834534
SAP_S UPPCF _CREATE
K ey us er (IT -Op er ator) auth ori zati on to cr eate messages, see: SAP Note 834534 834534..
SAP_S UPPCF _PROCE SS
Sup p ort Em Empl oyee au auth ori zati on to to pr proc ess messages, see: SAP Note 834534 834534..
CHANGE MANAGEMENT Change Request Management -> Schedule Manager; Service Desk, cProjects
SAP_CM_CHANGE_MANAGER_COMP 1)
Approving or rejecting change requests.
SAP_ SAP_CM CM_D _DEV EVEL ELOP OPER ER_C _COM OMP P 1) 1)
Corr Corre ectio ctions ns in the the d dev evel elop opme ment nt s sy ystem stem;; Corr Correc ecti tion ons s in the maintenance and development systems
SAP_CM_TESTER_COM P 1)
T es esti ng ng co corr ec ecti on ons in in the te test s sy ystem¸ T es esting an and validating corrections
SAP_ SAP_CM CM_O _OPE PER RATO ATOR_C R_COMP OMP 1) 1)
Impo mport corr corre ectio ctions ns into into the the pro produ duct ctio ion n syst system em;; Task Task lists
SAP_CM_PRODUCTIONMANAGER_C OMP 1) SAP_SOC M_REQUESTER SAP_CM_ SAP_CM_ADMI ADMINIS NISTRAT TRATOR_ OR_COMP COMP 1)
Maintenance Optimizer
SAP_MAINT_OPT_ADMIN
see IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_MAINT_OPTIMIZ) Basic Settings -> Basic BC-Sets for Configuration
SAP_MAINT_OPT_DISP SAP_MAINT_OPT_ADD
Import corrections into the production system; Approve imports into the production systems Create chang e requ ests Custom Customize ize and check check Change Request Request Management functions; Administrative and technical maintenance; The task list administrator in Change Request Management deals with the administrative and technical side of maintenance cycles and urgent corrections; in particular, the Schedule Manager task lists. Ful l auth or ization f or Main tenanc e O ptimizer Displ ay au th ori zation for Maintenanc e Opti mizer Authorization to write Stack-Delta-XML folder into the EPS Outbox of the operating system of Solution Manager (Stack-Delta-XML folder are relevant for JSPM (Java Support Package Manager) and SAP Jup (SAP Java Upgrade) in Java systems
SOLUTION MONITORING See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_MON_INFORMATI) for the scenario Service Data Control
SAP_S DCCN_AL L
S er vic e Data Contr ol C enter A d ministr ation, ch an ge setup
SAP_S DCCN_DIS
S ervic e D ata Cont rol Center D isplay onl y
SAP_S DCCN_EXE
Maintain Ser vic e D ata Contr ol Center
Center
Complete Monitoring (setup and/or operations of EWA; SLR, System Monitoring, Business Process and Interface Monitoring, Central System Administration)
Early Watch Alert
SAP_S V_ V_ SO SO L LU UTION_ MA MANAG E ER R SAP_SV_ SAP_SV_SOLU SOLUTIO TION_M N_MANA ANAGER_ GER_DIS DISP P
Ful l aut h or i zat ion f or all s essions i n ar ea op er ati ons setup
SAP_OP _DSW P
Ful l aut h or i zat ion f or all s essions i n ar ea op er ati ons
SAP_SETUP_DSWP_EWA
SAP_SETUP_DSWP_SLR
SAP_OP _DSW P_SLR
24
Display Display authoriza authorization tion for all functiona functionalit lities ies within within transaction SOLUTION_MANAGER,
SAP_S ETUP_DSW P
SAP_OP _DSW P_EW A Service Level Reporting
Ful l aut ho hor iz iz a att io ion f or or al l f un unc ttii on on al al itit ie ies wi wi th th in in transaction SOLUTION_MANAGER,
Full authorization for session Early Watch Alert in area operations setup (according to BundleID) Ful l author i zat ion f or s essi on E ar lyW atc h Al er t in area operations (according to BundleID) Full authorization for session Service Level Reporting in area operations setup (according to BundleID) Ful l aut hor izati on f or s ession S er vic e Level Reporting in area operations (according to BundleID)
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nari o/Functionality
Role
System Monitoring
SAP_SETUP_DSW P_ P_SM
Ful l aut hor izati on f or s ession S ystem Mo Monitori ng in area operations setup (according to BundleID)
SAP_OP _DSW P_SM
Ful l aut hor izati on f or s ession S ystem Monitori ng in area operations setup (according to BundleID)
SAP_SETUP_DSW P_ P_BPM
Ful l auth or ization f or s ession Busi ness Pr oc ess Monitoring in area operations setup (according to BundleID)
Business Process Monitoring
Purpo se
SAP_OP _DSW P_BPM
Central System Administration
SAP_S ETUP_DSW P_CSA
Ful l auth or ization f or s ession Busi ness Pr oc ess Monitoring in area operations (according to BundleID) Ful l auth or i zat ion f or s essi on C entral Ser vic e Administration in area operations setup (according to BundleID)
SAP_OP _DSW P_CSA
Ful l auth or i zat ion f or s essi on C entral Ser vic e Administration in area operations (according to BundleID)
JOB SCHEDULING MANAGEMENT See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_JSCHED_INFORM) for the scenario Job Scheduling
SAP_SM_SCHEDU LE LER_ADMIN
Ful l auth or ori za zation i nc ncl ud ud in ing c om ommunic at ati on on to to external tool
SAP_S M_ M_SCHEDU LE LER _E _E XE XE
Ex xe ec u utti on on auth or or iz iz a atti on on i nc nc lu lu di di ng ng c o om m mu mun ic ic a att io ion to external tool
SAP_S M_SCHEDU LER_DIS
Display au thori zati on
REPORTING Solution Reporting
SAP_SO L_REP _ADMIN SAP_SO L_REP _DISP
BI EWA-Reporting 2)
SAP_SM_ALEREMOTE
SAP_BW _S _SOLUTION_MANAGER IT Pe Perf or orm an anc e R ep ep or orti ng ng 5) 5)
Vi a W or ork C Ce e nt nt er er Sy Sys tte em Mo Moni to tor in in g
Auth orizati on f or r eporti ng, maint ai ning s ystem availability data, BI Reporting Aut hor izati on f or r ep ort executi on an d dis pl ay on ly. Authorization for background user in Solution Manager Client, according to profile S_BI-WX_RFC (see SAP Note 150315) Auth orizati on f or tr ans acti on RR MX S ee ee W or ork C Ce ent er er r o oll e and au auth or ori za zati on on ma map pi pi ng ng f or or Work Center System Monitoring
SERVICE CONNECTION and SOLUTION TRANSFER Ser vic e Conn ec tion
SAP_S ERVICE_CONNECT
Sol ution Tr ansf er
SAP_SOLUTION_TRANSFER
Auth or izati ons f or S er vic e C onnecti on Aut hor izati on to transf er a s oluti on from on e SAP Solution Manager system to another SAP Solution Manager system.
DIAGNOSTICS Root Cause Analyses
SAP_ SAP_SOLM SOLMAN ANDIA DIAG_ G_SAP SAPSU SUPP PPOR ORT T
Conta Contains ins the requir required ed auth author oriza izatio tions ns for for using using the Diagnostics for user SAPSUPPORT, see also SAP Note 828533
SAP_SO LMANDIAG_E 2E
RFC C alls f or D i agn ostics ( acc ordi ng pr pr of il e S_SMDIAG_E2E)
SAP_SMDIAG_WIZARD SAP_SMDIAG_TEMPLATE
Authorization for using the Diagnostics Wizard to transfer data from Solution Manager to Diagnostics Authorization to edit templates for Diagnostics SMD and E2E Diagnostics for BI Reporting via Diagnostics according profile S_SMDIAG_BI 4), assigned to Diagnostics user SAPSUPPORT
SAP_BI_E2E
THIRD PARTY PRODUCTS SAP Quality Center by HP See IMG activity: Information and
April 2008
SAP_QC_B Y_HP _ADMIN
Ful l author i zat ion to c onfig ur e, s en en d an d rec ei eive data to/from Quality Center; needs to be assigned additionally with respective role for Implementation
25
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nari o/Functionality
Role
Purpo se
Configuration (technical Configuration (technical name:
and Distribution scenario, e.g.
SOLMAN_QC_INFORMATIO) for the scenario
SAP_SOL_PM_COMP SAP_QC_B Y_HP _E XE
Aut hor izati on to work on the QC tab in SOLAR 01/0 2, needs to be assigned additionally with respective role for Implementation and Distribution scenario, e.g. SAP_SOL_AC_COMP etc.
SAP_QC_B Y_HP _DISP
Display Au th ori zati on; n eeds to be assi gn ed additionally with respective role for Implementation and Distribution scenario, e.g. SAP_SOL_RO_COMP
SAP_QC_INTERFACE
Aut hor ization f or b ackgrou nd c ommun ic ati on us er
Ser vic e Desk In terf ac e
SAP_S UPPDE SK_INT ERFACE
Aut hor izati on fo for bid ir ection al interf ac e and configuration; needs to be assigned additionally with respective roles for Service Desk scenario, e.g. SAP_SUPPDESK_ADMIN
SAP CPS (Redwood)
SAP_SM_REDWOOD_COMMUNICATI ON
Redwood Users (Communication User) in RFC Destionation to Solution Manager
SAP_APPSIGHT_INTERFACE
Authorization for background communication user
See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_REDWOOD_INFOR) for the scenario BMC AppSight for SAP Client Diagnostics 4)
CONTINUES IMPROVEMENT Issue Management See IMG activity: Information and Configuration (technical Configuration (technical name: SOLMAN_ISSUE_INFORMA) for the scenario
SAP_I SS SSUE _M _MANAGE ME MENT _A _A LL LL 4) 4)
Ful l aut ho hor iz izat io ion fo for Is su su e M an an ag ag em em en en t
SAP_ SAP_IS ISSU SUE_M E_MAN ANAG AGEM EMEN ENT_ T_EX EXE E 4)
Ope Operati ration ons s Autho Authoriz riza ation tion fo forr Issu Issue e Manag Managem emen entt
SAP_ SAP_IS ISSU SUE_ E_MA MANA NAG GEMEN EMENT_ T_DI DIS S 4) 4)
Disp Displa lay y Aut Autho horrizat izatio ion n fo for Iss Issue ue Mana Manage geme ment nt
SERVICE DELIVERY Onsite Onsite and and Remote Remote Service Service Deliv Delivery ery
SAP_SOLM SAP_SOLMAN_O AN_ONSI NSITE_C TE_COMP OMP SAP_SOLMAN_ONSITE_ALL_COMP
SAP provides two main users for users for Onsite Service Delivery and Remote Service Delivery, see SAP Notes: 834534 and 872800
The following table shows which task list authorizations are assigned to the Schedule Manager roles that included in the Change Request Management composite roles: Developer
Tester
Prod. Manager
Operator
Administrator
Display
X
X
X
X
X
Create
X
---
---
---
X
Change
---
---
---
---
X
Delete
---
---
---
---
X
Run
X
X
X
X
X
Change status
X
X
X
X
X
1) Composite roles with naming convention _COMP convention _COMP consist consist of a number of single roles, which you may also use individually. 2) In the BI-Client (system) the following profiles are required: - Administrator (IMG): Profile S_RS_ALL (according role SAP_S_RS_ALL) - Backgrounduser ALEREMOTE: Profile S_BI-WHM_RFC (according role SAP_BI_ALEREMOTE) 26
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 3) To maintain actions, you need the additional role SAP_PPF_CONFIGURATOR 4) New as of SP16 For security information on passwords, see SAP Note 862989 862989.. New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0) 5) In the BI Client (system) the following roles are required: - for setup: SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP - to view the reports: SAP_BW_CCMS_REPORTING For more information: information: SAP Solution Manager Roles
SAP Note 834534 (SAP Solution Manager Roles)
Role Maintenance
online documentation: Choose Help Application Help Solution Manager Projects Project Preparation Roles in Solution Manager
Change Request Management Roles
Online documentation (in SAP Solution Manager system): Help Application Help SAP Solution Manager Change Request Management Roles in Change Request Management
Authorization Roles and Profiles in the Satellite Systems You need to create users in the satellite systems to enable SAP Solution Manager users to access and configure these systems and perform test activities. Users are created in a satellite system using the User Maintenance tool (transaction code SU01) in that system. In each satellite system, you need to assign authorizations to users for IMG and the Customizing configuration transactions as well as the application transactions to be configured. For details on all roles concerning Diagnostics, refer to Diagnostics on the SAP Service Marketplace: service.sap.om/diagnostics Installation and Upgrade Guides. For SAP R/3 Releases lower than SAP Web Application Server 6.10, the profiles listed in the table are available, but not the roles. Therefore, you have to explicitly assign the authorization profiles to the relevant users. The table below provides an overview of the roles and profiles for Satellite systems: Sce nario
Role (Rele ase >= 61 0)
Pr ofile (R elea se< 610)
Purpose
SAP_CHANGE MA MAN_D EV EVE LO LOPER
S_TMW _D _DEVELO
Aut ho hor iz izati on ons f or or devel op opers ; This profile contains CTS authorizations for developers: No authorization to create transport requests, and no authorization to release transport requests but to create and release tasks.
SAP_CHANGE MAN_O PERATOR
S_TMW _ _O OPERA
Aut hor izati ons f or op er ators ; This profile contains CTS authorizations for operators: All transport authorizations; no configuration authorizations
SAP_CHANGE MAN_ADMIN
S_TMW _ADMIN
Aut hor izati ons f or a ad dministr ators ; This profile contains CTS authorizations for administrators: All authorizations in the CTS (including configuration)
CHANGE MANAGEMENT Change Request Management
SERVICE DATA CONTROL CENTER Ser vic e Data C ontr ol
April 2008
For B asis W ebAs >=610
For B asis 4*
S er vic e Data Contr ol C enter
27
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nario
Role (Rele ase >= 61 0)
Pr ofile (R elea se< 610)
Purpose
Center
SAP_S DCCN_AL L
S_SDCCN _A LL
Ad ministr ati on, chang e s etu p
For Basis WebAs >=610
For Basis 4*
SAP_SDCCN_EXE
S_SDCCN_EXE
Maintain Service Data Control Center
For Basis WebAs >=610
For Basis 4*
SAP_SDCCN_DIS
S_SDCCN_DIS
Service Data Control Center Display only
SOLUTION MONITORING System Monitoring and/or Central System Administration
SAP_BC_BASIS_ADMIN
C ont ai ns main tr ans acti ons f or Basis Administration
IMPLEMENTATION AND DISTRIBUTION Customizing Distribution and Comparison
SAP_BC_CUS _ADMIN
Ad ministr ati on of Customizing projects; in addition: Authorization object S_RFC is missing and needs to be maintained (transaction PFCG). values: ACTI: 16 RFC_NAME: S_SOLAR_RFC_00 RFC_TYPE: FUGR
SAP_B C_CUS_CUSTOMIZER
Ch ang in g customizing s etti ngs see SAP_BC_CUS_ADMIN S_CUS_CMP
S ee ee al als o Onli ne ne Do Docu me mentati on on: SAP Solution Manager -> Projects -> Customizing Distribution and Comparison system settings
Customizing Scout and System Landscape
SAP_SOLAR_SATEL ITE_SCOUT
Customizing Sc out
SAP_SOLAR_SATEL ITE_SMSY
S ystem L an dscap e
CATT
SAP_BC_CAT_TESTER
T esti ng wit h CATT
SAP_B C_CAT_TESTORGANIZE R eCatt Testworkbench
See SAP n ote 519858 SAP_TW B_TESTER
Testi ng with test workb ench
SAP_TW B_COORDINATOR
Coordi nati on wit h test workbench
SAP_TW B_ADMINISTRAT OR BC Sets
Tes tor gani zati on with CATT
Ad ministr ati on with tes t workbench
SAP_B CS_ACTIV
Acti vation BC S ets; s ee SAP note 505603
SAP_B CS_CREAT
Cr eating BC S ets
SAP_B CS_ADMIN
Ad ministr ation of BC S ets DIAGNOSTICS
Root Cause Analyses
SAP_JAV A_SUPPORT
Author ization f or Diagn ostics. Al l users of Diagnostics have to be assigned this role
SAP_JAV A_NW ADMIN_CENTRAL_READONLY
All us us ers of of D iagnos tics h ave to be assigned this role
SAP_SLD_GUEST
28
For read-only access to the SLD application, the user must belong to the group having the LcrUser J2EE server role (e.g. a group
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Sce nario
Role (Rele ase >= 61 0)
Pr ofile (R elea se< 610)
Purpose named SAP_SLD_GUEST ).
SAP_XI_DISPLAY_USER SAP_XI_MONITOR SAP_SATELLITE_E2E_DISP
Only for XI systems Only for XI systems Display Diagnostics transactions ST-PI
Roles and Profiles are customizing entries. If profiles are delivered with new or changed authorizations they have to be transported to your productive client. Import Authorization Checks Change Request Management uses the import functions of the Transport Management System (TMS). The TMS remote infrastructure is based on RFC connections that point solely to the 000 client of a target system. For this reason, you must make sure that Operators and Administrators have users both in the client into which changes are imported, and in the 000 client of these systems.
Automatic Imports In test systems, it is sometimes necessary that imports are performed automatically. If you want developers within the Change Request Management scenario to start imports into a test system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Since S_TMW_IMPORT is delivered empty, you have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL, which are also contained in the authorization object S_CTS_ADMI.
It is now possible possible to t o start an import into this system from every satellite system within your domain by using the CPIC user TMSADM; therefore, do not use this method in production systems or in any other security-critical systems. The system where you want to start the import automatically must share the same transport directory as its preceding system. If the transport directories were different, the user who starts the import would need “addtobuffer” authorizations for the buffer adjustment, which would present a security risk not only for the system concerned, but also for the whole landscape (including the production system). Regarding Change Request Management, the following table shows which transport methods are assigned to the background users in the target client and in client 000. In addition, the table indicates which roles are required for real users when using trusted RFC destinations:
April 2008
29
Security Guide: SAP Solution Manager 7.0 as of SP16
(*) If you want developers within the Change Request Management scenario to start imports into a test system automatically, automatically, you must add the profile S_TMW_IMPORT S_TMW_IMPORT to the user TMSADM in client 000 of the test system. You have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL which are contained in S_CTS_ADMI. Do not use this method in production systems or in any other security-critical systems. The system where you want to start the import automatically must share the same transport directory as its preceding system. For more information: Role Maintenance
Online documentation (in the SAP Solution Manager system): Choose Help Application Help Solution Manager Projects Project Preparation Roles in Solution Manager
Change Request Management Roles
Online documentation (in SAP Solution Manager system): Help Application Help SAP Solution Manager Change Request Management Roles in Change Request Management
Authorizations Authorizations for f or Customizing
Online documentation for IMG (transaction SPRO) -> chapter Create Solution Manager Configuration User.
Authorizations Authorizations ffor or Customizing Customizing Distribution Distribution
Online documentation (in the SAP Solution Manager) (transaction SCDT_SETUP) -> Help Application Help Customizing Distribution Customizing Customizing Distribution System Settings
Work Center Roles in the Solution Manager System As of Solution Manager 7.0 SP15 a number of Work Center roles are delivered. Work Center Roles (naming convention: SAP_SMWORK_) are based on the authorization roles approach (transaction PFCG). Still, in contrast to authorization roles which contain a number of authorization objects, Work Center roles do not contain any active authorization objects, but only menu entries. The menu entries consist of a two folder hierachy. They display the menu hierarchy/entries in the NetWeaver Business Client (NWBC). The first level always consists of the homepage WebDynpro Application of the according Work Center (e.g. Incident Management). The second level consists of several related links, such as Service Marketplace etc.. Work Center roles are always single roles. They need to be assigned to the user in ADDITION to the authorization roles for the individual scenarios (e.g. SAP_SUPPDESK_* and SAP_SUPPCF_*) and single role SAP_SMWORK_BASIC. Work Center roles do not contain authorizations, 30
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 therefore it is not necessary to generate an authorization profile. If a user is to be assigned more than one Work Center, the single roles can be combined to composite roles according to your needs. In this case, the merge of menu entries is not necessary and should not be done. Each end user who works with Work Centers needs to be assigned role SAP_SMWORK_BASIC. This role provides all the necessary authorizations for the Work Centers themselves, such as authorization for POWL (table control) and navigation. It needs to be fully maintained, including profile generation and user comparison. The following table provides an overview and mapping of the Work Center roles and standard Solution Manager roles. INCIDENT MANAGEMENT Work Center Role: SAP_SMWORK_INCIDENT_MAN Vie w
Link
Overview
M apping of Aut horiz ation Ro les SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)
Messages Search Reports Common Tasks
SAP_S M_SOLUTION_* (in c as e of s olution -dependen d rep ortin g), S AP_SO L_REP_* N ew ew mes sa sag e
SAP_ SU SUPPDE SK SK_* ; (SA P_ P_SU PP PPCF _* _* i n c a as s e of S er er vi vic e Pr o ov vi de der )
Sea Search rch for for SAP SAP Not Note
URL URL - n no o au authori horiza zattion ion che check
Transa Transact ction ion Monit Monitor orii
SAP_S SAP_SUP UPPD PDESK ESK_*; _*; (SAP_ (SAP_SUP SUPPC PCF_* F_* in case case of of Serv Service ice Provi Provide der) r) CHANGE MANAGEMENT Work Center Role: SAP_SMWORK_CHANGE_MAN
Vie w
Link
M apping of Aut horiz ation Ro les
O verview
SAP_ MAINT_OPT_* / SAP_ SM_SOLUTION_* / SAP _CM_* _COMP
Change Request
SAP_CM_*_COMP
Hot News
SAP_SM_SOLUT ION_*
Maintenance Optimizer
SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*
Test Management
SAP_SOL_*_COMP (acc. to function, e.g. Tester or Testorganizer)
Reports
SAP_SOL_REP _*/ SA P_SM_SOLUTION_*
Common tasks
N ew ew Ch an ang e R eq eq ue uest
SAP_C M_ M_* _C _CO M MP P
New Maintenance Transaction
SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* IMPLEMENTATION AND UPGRADE Work Center Role: SAP_SMWORK_IMPL
Vie w
Link
M apping of Aut horiz ation Ro les
O verview
Pr oj ec t
Impl ement ation an d Upgr ad e (acc ord ing to Business r ole, e. g. Pr oj ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)
Evaluate
Access Business Map
URL - Service Marketplace: no authorization check
Download Solution Composer Access SAP Best Practices Access Business Process Repository
April 2008
WebDynpro BPR - no authorization check
31
Security Guide: SAP Solution Manager 7.0 as of SP16 Acce Access ss proj proje ects cts
Impl Implem emen enta tati tion on and and Upgr Upgrad ade e (acco (accord rdin ing g to Busi Busine ness ss role role, e.g e.g.. Proj Proje ect Mana Manage gerr or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)
Plan
Access Solution Directory
SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*
Pr oj oj ec ec ts ts
Impl em ement at ation an d Upgr ad ad e (acc or ord in ing to Business r ol ole, e. g. g. Pr oj oj ec ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)
R oa oadmap
Impl em ement at ation an an d Upgr ad ad e (acc or ord in ing to Business r ol ole, e. e. g. g. Pr Pr oj oj ec ec t Manager o orr Technical Consultant etc.) SAP_SOL_*_COMP (Roadmap) Changing of Roadmaps SAP_RMDEF_RMAUTH_*
Busin Business ess Bluep Blueprin rintt
Imple Implemen menta tatio tion n and and Upgra Upgrade de (acco (accordi rding ng to Busin Business ess role, role, e.g. e.g. Proje Project ct Manag Manager er or Technical Consultant etc.) SAP_SOL_*_COMP (Business Blueprint)
Build
Con Configu figura rattion ion
Imple mpleme ment nta ation tion and Upgr Upgra ade (acc (accor ordi ding ng to Busi Busine ness ss role role,, e.g e.g.. Proje roject ct Mana Manage gerr or Technical Consultant etc.) SAP_SOL_*_COMP (Business Blueprint)
E-L ea ear n nii ng ng
Im pl pl em em en en ta tat io ion an d Upgr a ad de (a ac cc o orrd in in g t o B us us in in es es s r o oll e, e, e. e. g. g. Pr o ojj ec ec t Man ag ag er er or Technical Consultant etc.) SAP_SOL_*_COMP (E-Learning)
Customizing Distribution
Implementation and Upgrade (accordin g to Business role, e.g. Project Manager or Technical Consultant etc.) SAP_SOL_*_COMP (Customizing Distribution)
BC-S ets Test
N o auth or ization ch ec k - E-L earning Management SAP_SOL_TRAINING_* - General Infrastructure: Cutover to Test (transaction SOLMAN_DIRECTORY "Solution Directory") SAP_SOLMAN_DIRECTORY_*
Going Live Preparation
Go to Solution Directory
SAP_SOLMAN_DIRECTORY_*
Goin g Li ve Ch Ch ec k
URL-n o au auth ori zation ch eck
SAP SAP Early EarlyWat Watch ch Aler Alertt
SAP_ SAP_SM SM_S _SOL OLUT UTIO ION_ N_** / SAP_O SAP_OP_ P_DS DSWP_ WP_E EWA
Reports
Impl ement ation an d Upgr ad e (acc ord ing to Business r ole, e. g. Pr oj ec t Manager or Technical Consultant etc.) SAP_SOL_*_COMP
C om om mo mon T as as ks ks
R oa oadmap
Im pl pl em em en en ta tat io ion an d Upgr a ad de (a ac cc o orrd in in g t o B us us in in es es s r o oll e, e, e. g. g. Pr o ojj ec ec t Man ag ag er er or Technical Consultant etc.) SAP_SOL_*_COMP (Roadmap) Changing (Define and Maintain) of Roadmaps SAP_RMDEF_RMAUTH_*
Related Links
S ystem Landscap e
SAP_SMSY_*
Project Project Administ Administratio ration n
Impleme Imp lementat ntation ion and and Upgrade Upgrade (accordi (according ng to Business Business role, role, e.g. e.g. Project Project Manager Manager or or Technical Consultant etc.) SAP_SOL_*_COMP (Project Administration)
Lea Learni rning Map Maps s
Imple mpleme ment nta ation tion and Upgr Upgra ade (acc (accor ordi ding ng to Busi Busine ness ss role role,, e.g e.g.. Pro Proje ject ct Mana Manage gerr or or Technical Consultant etc.) SAP_SOL_*_COMP (E-Learning) JOB MANAGEMENT Work Center Role: SAP_SMWORK_ JOB_MAN
Vie w O verview
32
Link
M apping of Aut horiz ation Ro les SAP_SM_SCHEDU LER_ADMIN _*
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Job Monitor ing
SAP_OP _DSW P_BPM / SAP _SM_SO LUTION_*
Job Documentation
SAP_SM_SCHEDULER_ADMIN_*
Job Scheduling Reporting Common Tasks R el el at at ed ed Li Li nk nks
SAP C en entr a all Pr Pr o oc ce es ss Scheduling by Redwood
URL - no authorization check SERVICE DELIVERY
Work Center Role: SAP_SMWORK_ SERVICE_DEV Vie w
Link
M apping of Aut horiz ation Ro les
O verview
SAP_SV_SO LUTION_ MANAG ER, S AP_SM_SO LUTION_*,. SAP_ISSUE_MANAGEMENT_*
SAP Delivered Services
SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.
Self Delivered Services Issue and Top Issues
SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
Tasks Reports Common Tasks
SAP_SOL_REP _* / SAP_SM_SOLUTION_* Create Issue
SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
Create Top Issue
R el el at at ed ed Li nk nks
Display Business Process
SAP_OP_DSWP_BPM (correct maintenance needed for display) /SAP_SM_SOLUTION_DIS
Data Transfer Configuration
No authorization check
S ol ol ut uti on on M an an ag ag er er Operations
SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operations and Setup) SETUP Work Center Role: SAP_SMWORK_ SETUP
Vie w
Link
M apping of Aut horiz ation Ro les
O verview
S elfdiagn os is
SAP_SM_SOLUT ION_*
Solution
S ol uti ons (c (c reate)
SAP_SM_SOLUT ION_*
S er er vi vic e Conn ec ec titi on on
SAP_S ER ERVICE_CONNE CT CT
S ol ution Transf er er
SAP_SO LUTION_TRANSFER
Operations Setup (EWA)
SAP_SETUP_DSW P_EWA/ SAP_SM_SOLUTION_*
E xp ort and Im port
SAP_SOLAR_ MIGRATION
General project related tasks
SAP_SOL_*_COMP
S ystems s et up
SAP_SMSY_*
Syste Systems ms Mainte Maintenan nance ce
SAP_S SAP_SOLM OLMAN AN_D _DIR IREC ECTOR TORY_ Y_** / SAP_SM SAP_SM_SO _SOLU LUTI TION ON_* _*
RFCRFC-De Desti stinat nation ions s
Templa Template te role role for author authoriza izatio tions ns for SM59 SM59 is is not not del delive ivered red with with ST, role role m must ust be create created d individually.
Project
Systems
Users
Speci pecifi fic c Setup Setup
April 2008
Temp late roles for author izati ons f or SU 01, PFCG, SU 10 or S UIM ar e not d elivered with ST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization) Syst System em Adm Admin inis isttrat ration ion
SAP_ SAP_SM SM_S _SOL OLU UTIO TION_* / SAP_ SAP_SE SETU TUP_ P_DS DSWP_ WP_C CSA
33
Security Guide: SAP Solution Manager 7.0 as of SP16
Common Tasks
Related Links
Service Level Reporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSW P_SLR
Syst System em Moni Monito torring ing
SAP_ SAP_SM SM_S _SOL OLU UTIO TION_* / SAP_ SAP_SE SETU TUP_ P_DS DSWP_ WP_SM SM
E ar arl yW yW at atch Al er ert
SAP_ SM SM _S _SOL UT UT IIO ON_ * / SAP _S _SETUP_ DS DSW P P_ _EW A
Connectiv Connectivity ity Moni Monitorin toring g
Transac Transaction tion:: SOLUTI SOLUTION_M ON_MANA ANAGER GER (no autho authoriza rization tion check) check)
IT-Performance Reporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM
Landscap e Maintenanc e
SAP_SMSY_*
RFC RFC Connec Connectio tion n Error Error
Transa Transact ction ion:: SOLUTI SOLUTION_ ON_MAN MANAG AGER ER (no autho authoriz rizati ation on check check))
Implementation Implementation Guide (SPRO)
Profile SAP_ALL
Implementation Implementation Guide (SPRO)
Profile SAP_ALL
Solution-ManagerMigration
SAP_SOLAR_MIGRATION
General Task related to system configuration of Solution Manager (IMG)
Profile SAP_ALL
SYSTEM ADMINISTRATION Work Center Role: SAP_SMWORK_ SYS_ADMIN Vie w
Link
M apping of Aut horiz ation Ro les
O verview
S ystem (G en eral Infrastructure)
SAP_SMSY_*
User Management
Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered with ST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization)
Administration Tools
Template roles for nonspecific Solution Manager transactions (functionalities) can be found in the according documentation for these functionalities
Setup
Related Links
CSA
SAP_SETUP_DSW P_CSA / SAP_SM_SOLUTION_*
Solutions (General Infrastructure)
SAP_SM_SOLUTION_*
DBA C oc kpit
SAP_BC_DB _ADMIN
Landscape Printing Assistant
Template role for authorizations for transaction PAL is not delivered with ST, role must be created individually.
Solution Manager Diagnostics
URL - no authorization check
Issu Issue e Mana Manaag agem emen entt
SAP_ SAP_IS ISSU SUE_M E_MAN ANAG AGEM EMEN ENT_ T_** / SAP_ SAP_SM SM_S _SOL OLUT UTIO ION_ N_** SYSTEM MONITORING Work Center Role: SAP_SMWORK_ SYS_MON
Vie w
Link
M apping of Aut horiz ation Ro les
O verview
S ystems/ s olutions
SAP_SMSY_* / SA P_SM_SOLUTION _*
Al er t I nbox
S ystem al erts
SAP_OP _DSW P_SM / S AP_SM_SOLUTION_*
Proactive Monitoring
Sy ys s tte em / s o oll ut ut io ions
SAP_ SM SMS Y_ Y_* / S AP AP_ SM SM_ SO SO L LU UT IIO ON_ * Template roles for nonspecific Solution Manager transactions (functionalities) can be found in the according documentation for these functionalities
34
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Connectivity Monitoring
RFC RFC Dest Destin inat atio ions ns
SAP_ SAP_SM SMSY SY_* _* / Tem Templa plate te rol role e fo forr autho authori riza zati tion ons s for for SM59 SM59 is is not not deli delive vere red d wit with h ST, ST, role role must be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used (NOTE: full administration authorization)
Job Monitor ing
Job Sc hed ul ing
SAP_SM_SCHEDU LER_*
Reporting
Tab systems: EWA Reporting
SAP_OP_DSW P_EWA / SAP_ SM_SOLUTION_*
Tab systems: ITPerformance Performance Reporting
SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*
Tab solutions: Service Level Reporting
SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*
Tab solutions:Availability Reporting
SAP_SOL_REP_* / SAP_SM_SOLUTION_*
Syst System em Moni Monito torring ing
SAP_ SAP_SE SETU TUP_ P_D DSWP_* SWP_* / SAP_ SAP_SM SM_S _SOL OLU UTION TION_* _*
Service Level Reporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSW P_SLR
E ar arl yW yW at atch Al er ert
SAP_ SM SM _S _SOL UT UT IIO ON_ * / SAP _S _SETUP_ DS DSW P P_ _EW A
Connectiv Connectivity ity Moni Monitorin toring g
Transac Transaction tion:: SOLUTI SOLUTION_M ON_MANA ANAGER GER (no autho authoriza rization tion check) check)
IT-Performance Reporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM
S ol uti ons
SAP_SM_SOLUT ION_*
S elf Diag nosis
SAP_SM_SOLUT ION_*
Solution Manager Diagnostics
URL - no authorization check
W ily I ntrosc ope
URL - n no o au auth or izati on ch ec k
Setup
Related Links
SYSTEM LANDSCAPE MANAGEMENT Work Center Role: SAP_SMWORK_ LANDSCAPE MANAGEMENT Vie w
Link
M apping of Aut horiz ation Ro les
Overview
S ys ystem / s ol oluti on on
SAP_SMSY_* / SA P_ P_SM_SOLUTION _* _*
Common T as ks
Cr eate s oluti on
SAP_SM_SOLUT ION_*
Related Links
System Landscape Solution Manager
SAP_SMSY_*
S er er vi vic e Conn ec ec titi on on
SAP_S ER ERVICE_CONNE CT CT
Downtime Management Transport Management System Installation Setup
BUSINESS PROCESS AND INTERFACE MONITORING Work Center Role: SAP_SMWORK_ BPM Vie w
Link
M apping of Aut horiz ation Ro les
O verview
Op erati on Bu Busi ness Process Monitoring
SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*
Business Process
Operation Business Process Monitoring/ Service Desk Message
SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*
Al er t D etail
April 2008
SAP_SUPPDESK_* / SAP_SUPPCF_* (in case of Service Provider) SAP_OP _DSW P_BPM, S AP_SM_SO LUTION_*
35
Security Guide: SAP Solution Manager 7.0 as of SP16 Alert Inbox Reports Common Tasks
R el el at at ed ed Li nk nks
Solu Soluti tion on Dire irecto ctory
SAP_ SAP_SO SOLM LMAN AN_D _DIIREC RECTORY TORY_* _*,, SAP_ SAP_SM SM_S _SOL OLUT UTIION_* ON_*
Setup Business Process Monitoring
SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_*
S ol ol ut uti on on M an an ag ag er er Operation - transaction SOLUTION_MANAGER
SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operations and Setup) ROOT CAUSE ANALYSIS Work Center Role: SAP_SMWORK_ DIAG
Vie w
Link
M apping of Aut horiz ation Ro les
O verview
C onf ig urati on
No authorization check
SAP Diagnostics
URL- no authorization check
Configuration Related Links
SAP Diagnostics Setup Solution Documentation Assistant Work Center Role: SAP_SMWORK_ SDA Vie w
Link
M apping of Aut horiz ation Ro les
O verview
all
SAP_SDA_* ; SAP_SOL_* _COMP
Analysis Projects
all
SAP_SDA_* ; SAP_SOL_* _COMP
Analys es
all
SAP_SDA_* ; SAP_SOL_* _COMP
Related Links
all
SAP_SDA_* ; SAP_SOL_* _COMP
Related Links
all
SAP_SDA_* ; SAP_SOL_* _COMP
For detailed information on menu entries, see SAP Note
834534
EXAMPLE: System Administrator The role described underneath is delivered with Stack 15 as an example role. If you use this role, please copy it, maintain all authorization roles and execute the user comparison. You want your System Administrator to use the Work Centers of Solution Manager. Your System Administrator should maintain your System Landscape and should take care for the smooth running of all its systems. Therefore, he/she uses the following Work Centers:
System Landscape Management (Work Center role: SAP_SMWORK_LANDSCAPE_MAN)
System Monitoring (Work Center role: SAP_SMWORK_SYS_MON)
System Administration (Work Center role: SAP_SMWORK_SYS_ADMIN) According to the Mapping Table above, the Work Center roles for these three Work Centers need to be granted. In addition, the appropriate Authorizations roles with full authorization are needed:
36
Authorizations for Work W ork Centers: Centers: SAP_SMWORK_BASIC SAP_SMWORK_BASIC
System Landscape Maintenance: SAP_SMSY_ALL
Solutions: SAP_SM_SOLUTION_ALL
Setup System Monitoring: SAP_SETUP_DSWP_SM
Setup System Administration: SAP_SETUP_DSWP_CSA
Operations System Monitoring: SAP_OP_DSWP_SM
Operations System Administration: SAP_OP_DSWP_CSA
Service Connection: SAP_SERVICE_CONNECT
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Roles for transactions that are not delivered with Solution Manager (ST) are not included, as well as roles for Issue Management, Job Scheduling and Availability Reporting. All roles were then included in a composite role for the System Administrator SAP_SMWORK_ADMINISTRATOR_COMP and user comparison was executed.
SLD (System Landscape Directory) Security Roles If you have attached the System Landscape Directory, you need to generate roles for set SLD users for the communication of ABAP and Java: SLD User
Role
Purpose
SLDAPIUSER
N o r ole r equ ired
To s end data fr om SAP S oluti on Manag er t o SLD
SAPJSF (S ervic e Us er)
SAP_B C_JSF_CO MMUN ICATION_RO
To read data fr om SLD
SAP_ SAP_BC BC_A _AI_ I_LA LAND NDSC SCAP APE_ E_DB DB_R _RFC FC
Cont Contex ext: t: Appl Applic icat atio ion n inte integr grat atio ion n infrastructure
J2EE_ADMIN (Service User)
This role enables write access to the database tables of the SAP System Landscape Directory (SLD). The role has to be assigned to the user who makes the RFC calls from the SLD.
SAP_J2EE_ADMIN
J2EE_GUE ST (S er vic e Us er)
April 2008
SAP_J2 EE_GUEST
Role that is assigned to the users that are to have administrator rights in a connected SAP J2EE Engine. Engine. Used to attach a local UME to the central ABAP user management. Role that is assigned to the users that are to have guest authorizations in a connected SAP J2EE Engine. Engine.
37
Security Guide: SAP Solution Manager 7.0 as of SP16
SLM (Software Lifecycle Manager) Security Roles The security roles in the SLM are analogical to the security roles in the SLD. For detailled information see: help.sap.com/nw70 -> Functional View -> Solution Life Cycle Management -> Software Life Cycle Management. S-User Authorization The S-user is used for accessing SAP internal systems via special RFC destinations like SAP-OSS und SAP-OSS-LIST-O01 (see chapter Communication Destinations). Destinations). Background jobs (see chapter Background Jobs)) control the access via RFC destinations and the data communication. S-users (that have the correct Jobs authorizations) are needed to open the gate and trigger dedicated functions at SAP side. For several use cases it is necessary to assign a SAP Support Portal contact to SAP Solution Manager system users who will communicate with SAP Support Portal via RFC-Destination SAP-OSS. The contact you maintain corresponds to the S-user in SAP Support Portal without 'S'. See: IMG (transaction SPRO) activity: Assign S-User for SAP Support Portal functionaliy (SOLMAN_PROFILE_PARAM). functionaliy (SOLMAN_PROFILE_PARAM). For the customer specific RFC-Connection (scenario: Service Provider) no authorization for the assigned S-User is necessary. In the SAP Support Portal , your S-user needs to have the following authorizations for the individual functionalities: Service Desk and Expert-on-Demand Create message
ANLEG: Create SAP message
Create and send messages
GOSAP: Send to SAP
Confirm messages
QUITT: Confirm SAP message
Display/change Secure Area
PWDISP Display Secure Area PWCHGE Change Secure Area
Value Added Reseller: Download Data from SAP Administration Authorization
ADMIN
Maintain all Logon Data
Value GLOBAL
Maintain User Data
USER
Maintain System Data
INSTPROD Value Added Reseller: Customer
Maintain System Data
INSTPROD
Service Desk and Expert-on-Demand Create message
ANLEG: Create SAP message
Send messages
GOSAP: Send to SAP WAUFN: Reopen SAP message
Confirm messages
QUITT: Confirm SAP message
Display/change Secure Area
PWDISP Display Secure Area PWCHGE Change Secure Area Service Connection
Open Service Connections
SVER Open Service Connection
Setup/migrate a Service Connection
SVER Open Service Connection INSTPROD Maintain System Data
38
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 SAP HotNews SAP notes search
NOTES: Search f or notes
Backgroundjobs As soon as a Solution is created within the Solution Manager system the backgroundjob SM:SCHEDULER with program RDSWPJOBSCHEDULER is automatically started. This program executes all programs which are marked as active in table DSWPJOB. You should not alter configurations in this table. See as well SAP Note 894279 894279.. The following table provides an overview over all backgroundjobs, whether they are included in DSWPJOB and which RFC connection is used: Bac kgroundjob/ pr ogra m, report
Us e
RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations SERVICE DELIVERY
SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS
Transfer CSN Components to Solution Manager (DSWPJOB)
SAPOSS
SM:SYNC SOLMAN INFO/ RDSMOPSERVICEINFOS
Self-Service: Components used by customers (DSWPJOB)
SAPOSS
SM:TOP ISSUE TRANSFER/ RDSWPCI_TOPISSUE_TRANSFER
This transfers the top issues that you have exchanged with SAP once a week. (DSWPJOB)
SAP-OSS
SM:SURVEY TRANSFER/ RDSWPCI_SURVEY_TRANSFER
This transfers the questionnaires for customer satisfaction with the service session and issue processing to SAP. (DSWPJOB)
SAP-OSS
SM:SEND_SOLUTIONS_TO_SAP/ RDSMOPCOLLECTSOLUTIONDATA
This report sends the data of the respectively configured solutions to SAP (DSWPJOB)
SAP-OSS
SM_SYNC_SAP SESSIONS/ RDSWPCISERVICEPLAN; RDSMOPSERVICESESSIONS RDSWPBACKGROUNDSERVICES_4; RDSWPBACKGROUNDSERVICES_3;
Get Serviceplan from SAP (DSWPJOB -> RDSMOPSERVICESESSIONS; RDSWPBACKGROUNDSERVICES_4 and RDSWPBACKGROUNDSERVICES_3 nonactive) The session scheduling in the s ervice plan is updated daily by SAP. This report is necessary to receive service plans from SAP
SAP-OSS
SM:FILL ISSUE BUFFER TABLE/ DSWP_CI_ISSUE_BUFFER_TABLE
Fill Issue Buffer Table (DSWPJOB)
SM:MIGRATE_ISSUE_PROJECT_CONTEXT/ RDSWPCI_ISSUE_PROJECT_CONTEXT1
(DSWPJOB)
SM:SYNC ISSUES FROM CRM/ RDSWP_ISSUE_REFRESH
Table DSWPISSUE contains information from the CRM document and the support message (Context). This table is updated. (DSWPJOB)
SOLMAN_ISSUE_STATUS_REFRESH/ RBM_REFOBJ_BUFFER_UPDATE
The SAP Solution Manager buffers message attributes such as the current user and the processing status. This periodic job collects these message attributes from the message system and makes them available for analysis. SERVICE DESK This refreshes the contents of Support Desk or Expert-on-Demand messages that have been processed by SAP. Recommendation: Deactivate this job and schedule a customerspecific variant (DSWPJOB).
SAP-OSS-LIST-O01
SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS
Transfer CSN Components to Solution Manager (DSWPJOB)
SAPOSS
AI_SDK_FILL_FILE_TYPE_TABLE /
Only specified file types can be sent to SAP, for
AI_SDK_FILL_FILE_TYPE_TABLE
security reasons, all other attachments sent to
SM:RNOTIFUPDATE01/ RNOTIFUPDATE01
SAP-OSS
SAP are refused by SAP. For SAP being able to read all the attachments which you send with
April 2008
39
Security Guide: SAP Solution Manager 7.0 as of SP16 Bac kgroundjob/ pr ogra m, report
Us e
RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations
your message, the program updates the file type tables AISDK_FILETX and AISDK_FILETY. SOLUTION MONITORING /BDL/TASK _PROCE SSOR
St arts al l nec ess ar y tasks ( Main tenanc e T as k) in satellite systems for Service sessions (e.g. EWA) (automatically scheduled when SDCCN is activated in Satellite system
SM:EXEC SERVICES/ RDSMOPBACK_AUTOSESSIONS
Executes Service sessions in Solution Manager Carries out services daily (or weekly) and schedule new services (DSWPJOB)
SM:CSA SESSION REFRESH/ DSVAS_APPL_CSA_REORG_TASKTABLE;
CSA Session Refresh (DSWPJOB) The Central System Administration (CSA) session is opened in the background and processed every hour. This updates the task status icons in the SAP Solution Manager graphic.
RDSMOPSOL_MONIREFRESH
SM:CSA UPDATE TASKSTATUS/ DSVAS_APPL_CSA_UPD_TASKSTATUS
CSA Task Status Update (DSWPJOB) updates status symbols of CSA tasks in the graphical overview of systems
SM:CSDCC HANDLE TASKS/ RCSDCCHANDLETASKS
(DSWPJOB)
SM:SESSIONS RESET/ RDSMOP_SESSSION_RESET
Session initialization. The set-up sessions are automatically reset after a new ST-SER release is implemented or after a new Support Package is imported. This ensures that these sessions always run on the newest check source code (DSWPJOB)
SM:MIGRATE EWACUSTOMIZING/ RDSWPMIGRATEEWACUSTOMIZING
Migrate EWA Customizing (DSWPJOB)
SM:SET DEFAULT RATING/ RDSWPSETDEFAULTRATINGHIERARCHY
Set default rating (DSWPJOB -> Non-active)
SM:SOLMAN MONITORING/ RDSWP_FILL_CCMS_ALERTS
Supplies the monitoring object of the CCMS for every solution with data from the Solution Manager, for example EWA, SL Reporting and Transaction SDCCN. (DSWPJOB)
SM:DOWNLOAD DELETION/ RDSWPDOWNLOADDELETION
The download data which is more than 30 days old, is deleted (DSWPJOB)
Program name: RDSWP_DTM_UPDATE_DT_STATUS
To update downtime status. To be run daily, at 00:00 to 00:10 hrs; Period : 1.
TRUSTED or LOGIN
TRUSTED or READ
CHANGE REQUEST MANAGEMENT SM:TMWFLOW_CMSSYSCLO/ /TMWFLOW/CMSSYSCOL2
gets tracking data from systems, asynchronously (DSWPJOB)
READ; TMWFLOW
ROOT CAUSE ANALYSIS SM:SOLMAN_DIAG_UPDATE/ RSOLDIAG_CHECK_FOR_UPDATE
Checks your Solution Manager and notifies it about the changes made to relevant data and parameters. (DSWPJOB) IMPLEMENTATION (DOCUMENT MAMANGEMENT)
Jobname (customer-specific)/ RSTIRIDX
Asynchronous indexing and de-inde xing for Document Management (manually, see also IMG -> Scenario-specific settings -> Crossscenario -> Document Management -> Servers > Connect Index Server for Full Text Search)
SM:ACCELERATE DOC USAGE/ RDMD_ACCELERATE_DOC_USAGE
Accelerates the where-used list for documents in the Solution. (DSWPJOB) THIRD PARTY PRODUCTS
Jobname (customer-specific) (customer-specific) / RS_SM_QC_REQUIREMENT_SYNC and
40
SAP Quality Center by HP send Test Requirements and receive Test Results (manually, see IMG -> Scenario-specific Settings
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Bac kgroundjob/ pr ogra m, report
Us e
RS_SM_QC_TESTRESULT_SYNC
-> Third Party Integration -> SAP Quality Center by HP
RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations
GENERAL INFRASTRUCTURE REFRESH_ADMIN_DATA_FROM_SUPPORT/ AI_SC_REFRESH_READ_ONLY_DATA
Periodically reads administrative data from SAP Support Portal (System data synchronization in SMSY)
SAP-OSS
SEND_SYSTEM_RELATIONSHIP_TO_SUPP/ AI_SC_SEND_SYSTEM_RELATIONSHIP
Periodically sends information which systems are managed by Solution Manager
SAP-OSS
SERVICE_CONNECTION_LISTENER/ AI_SC_LISTENER
Periodically checks in Solution Manager, whether a service connection is planned to be opened
SAP-OSS
LANDS CA CA PE PE FE FET C CH H/ RS RSGET _S _SM SY SY
T he he jo job ge gets sy syst em em da dat a for th th e S ol olut io ion Manager system landscape by automatic data transfer from TMS/RFC or the System Landscape Directory (SLD); Default: TMS/RFC
SM:SYNC CONTENT FROM SAP/ RDSWPBACKGROUNDSERVICES_1
(DSWPJOB -> non-active)
SM:MIGRATE_LANG_DEP_SAPSCRIPT/ MIGRATE_LANG_DEP_SAPSCRIPT; RMIGRATE_LANG_DEP_SAPSCRIPT
(DSWPJOB -> MIGRATE_LANG_DEP_SAPSCRIPT nonactive)
SM:CLEAR ARCHIVED DATA/ RDARCH_CLEAN_DATABASE
(DSWPJOB -> non-active)
SM:DYNAMIC TABU UPDATE/ RDMD_DYNAMIC_TABU_UPDATE
Updates Updates the table contents that are necessary to operate the Solution Manager. (DSWPJOB)
SM:DMD CONSISTENCY/ RDMD_INCONSISTENCIES
Checks the data model of a solution for inconsistencies (DSWPJOB)
RDMD_INCONSISTENCIES/ RDMD_MIGRATE_OBJS_2_LANG_INDEP
(DSWPJOB)
SM:REMOVE INCONSISTENCIES/ RDMD_REMOVE_INCON
Remove inconsistencies in the data model (DSWPJOP)
SM:REORG APPLICATION LOG/ RDMD_REORG_APPLICATION_LOG
Reorganization of Application Log (DSWPJOB)
SM:REFRESH ENTRYSCREEN/ RDSMOPSOLUTIONLISTUPDATE
Update of Solution list: The status of every solution is determined for the overview list of all solutions (the access screen in Transaction SOLUTION_MANAGER) (DSWPJOB)
SM:SERVICE ASSISTANT EVENTS/ RDSVAS_EXECUTE_EVENTS
(DSWPJOB -> non-active)
SM:HOURLY SERVICES/ RDSWPBACKGROUNDSERVICES_3
(DSWPJOB -> non-active)
SM:UPDATE RULES/ RDSWPRULESUPDATE
A set of rules controls the services and documents that can be offered for the information about system infrastructure and processes that is maintained in the Solution Manager.(DSWPJOB)
SM:SELFDIAGNOSIS/ RDSWP_SELF_DIAGNOSIS
Update Selfdiagnosis (DSWPJOB)
SM:MIGRATE SESS DL./ RDSWP_SSA_MIGRATE_SESS_DL
(DSWPJOB)
SM:MOVE TO ARCHIVE QUEUE/ RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE
Move services and sessions to archive queue (DSWPJOB)
EMAIL_NOTIFICATION (csutomer specific)/ RSCONN01 (variant SAP&CONNECTALL)
Periodic background job to send queued e-mails (manually scheduled via transaction SCOT) -> see also IMG -> Cross-scenario settings)
SM:RFC MONITORING/ RWBA_RFC_WATCHER
To check RFC-Connections. To be run hourly or daily (recommended between 10pm and 4am).
April 2008
-
41
Security Guide: SAP Solution Manager 7.0 as of SP16 Bac kgroundjob/ pr ogra m, report
Us e
RFC Connection us ed ( s ee as well chapter Communication Destinations)) Destinations
The job executes RFCPING or RFC_PING.
42
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16
Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur. System Landscape
Update Logs
RFC Logs
Data save logs Solution Manager Implementation
All Tabs can be traced. Each change on the tab will be recorded.
No changes of the assigned object are logged (except documents).
One can specify which project and tab will be traced.
Documentation will be versioned by each change. Solution Manager Operations
Traces are available in Solution Directory
All tabs can be traced. Each change on tab will be recorded. No changes of the assigned object are logged (except documents). One can specify which Solution will be traced
Documentation will be versioned by each change Customizing Distribution
Each distribution is logged
Each distributed object is l ogged
April 2008
43
Security Guide: SAP Solution Manager 7.0 as of SP16
APPENDIX Security Parameters for Individual Scenarios General Remarks In the following paragraphs the main scenarios of SAP Solution Manager are described in regard to the above mentioned security parameters. For a complete description of all scenarios, see: Master Guide SAP Solution Manager . Usage data about which functionality/scenario is used by the customer is sent to SAP. See as well: SAP Note 939897 (How to disable this transfer) Service Delivery The Services Delivery scenario comprises the following main functionalities: Service Plan The Service Plan is the central instance of collaboration with SAP containing delivered Services and Services that are to be delivered later on. In this regard, customers can accept or deny SAP Services. SAP Services are sent to the customer by SAP and confirmation of Service Delivery is sent by the customer to SAP via backgroundjob or in dialog. If you do not want to send any confirmation for Services to SAP, you do not activate this functionality. If no Service Plan information is sent, SAP can only deliver limited Services. Data which is sent: - GUIDs for Service Identification Identifi cation with values YES or NO. - Delivery Date Service Plan makes use of WebDynpro Applications. Applications. In order to deliver Services a HTTP connect is needed. Expertise-on-Demand (EoD) Expertise on Demand describes the demand by a customer for an SAP expert on some topic. Solution Transfer When you transfer solutions, all productive data of your chosen solutions are transferred by default. When you made your solution known to SAP, its data are regularly updated by a backgroundjob backgroundjob.. For each individual solution you can decide whether you want to transfer only productive data, all data or no data. To disable it, see SAP Note 920153 920153.. During transfer a data download is sent to SAP via DMD_OPEN. This data package is only partially read and used by SAP. Information of logical components and business processes are bundled at SAP per customer. To view the data of a solution use report RDSMOP_VIEW_SOLUTION_XML to save (as an XML file on your desktop) the information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Solution Transfer makes use of WebDynpro Applications. Applications. Service Desk (Service Provider) and Issue Management Service Desk The Service Desk allows you to create support messages in the Solution Manager system and all connected Satellite systems (see chapter RFC Destinations), Destinations), send them to SAP, and receive replies from SAP. Communication between Solution Manager and SAP Service and Support is needed. There is also the possibility to connect Third Party Service Desks via Web Services. Information on third party service desk interface is provided in service.sap.com/solutionmanager -> Media Library -> Technical Papers -> Service Desk Web Service API Issue Management In Issue Management you can distinguish between Top Issues and Issues. Top Issues bundle Issues which contain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues are addressed towards Management. Issue data is sent via periodical backgroundjobs once a week after the initial transfer. Initial transfer is done via dialog. You can avoid sending data by deleting this job. If no data is sent to SAP, SAP Support can not deliver proactive support. For information on Top Issue data which is sent, see SAP Note 971138 971138.. To see the data of a Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to 44
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 save (as an XML file on your desktop) the information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Issue Management makes use of WebDynpro Applications. Applications. Implementation and Distribution The Implementation and Distribution scenario is used for the implementation of customer projects. This scenario includes an implementation roadmap, an editor for creating and maintaining business blueprints, access to the Implementation Guides (IMG), and tools for testing, monitoring and distributing Customizing. Communication between Solution Manager and satellite systems is needed. Satellite Systems are connected via RFC RFC.. Solution Monitorin Monitoring g The Solution Monitoring scenario provides support for functionalities such as Service-Level Reporting, EarlyWatch Alert, System Monitoring and Business Process Monitoring. Early Watch Alert contains data on system health. The data is collected automatically in the according satellite system, send via RFC destination to the Solution Manager system, and then analyzed in Solution Manager. If you want to transfer download data of a service (EarlyWatch Alert and so on) from a satellite system into a Solution Manager system, but your satellite system has no RFC connection to the Solution Manager system, see SAP Note 657306 657306.. EarlyWatch Reports are send to SAP in case of a red rating. You can deactivate these settings in transaction SOLUTION_MANAGER, Operations Setup -> Solution Monitoring -> EarlyWatch Alert (column Send to SAP ) The solution monitoring functionality allows you to monitor the state of multiple solution landscapes. SAP Solution Manager can be used to monitor the satellite systems in a landscape, as well as all the business processes running on them. Via setup of RFC connections also the according RFC destinations for system monitoring (see IMG activity in transaction transacti on SPRO: SOLMAN_ASSIGN_RFCS) are set up. Solution Monitoring makes use of WebDynpro Applications. Applications. Change Management You can use the Maintenance Optimizer to download Support Package Stacks and Support Packages for your various satellite systems. If the RFC connection to SAP or table AISUSER (S_user (S_user)) is not maintained it is not possible to download SAP Service- and Support-Packages. Currently, the Change Request Management scenario consists of a workflow for implementing urgent corrections and support maintenance. This workflow is the result of an integration between the Service Desk and SAP Change Manager. The workflow starts with the occurrence of an error. This error is reported to the Service Desk. If the error is serious enough to warrant the immediate implementation of a correction (urgent correction), a change request is created. This request is then approved, which results in the creation of a change document. Root Cause Analysis SAP Solution Manager Diagnostics provides root cause analysis of incidents in customer solutions powered by SAP NetWeaver. It provides a read access to traces and configuration settings of SAP NetWeaver components.
April 2008
45
Security Guide: SAP Solution Manager 7.0 as of SP16
Examples Authorization Restriction All examples are also contained in IMG documentation. Solutions (see as well IMG activity: SOLMAN_SYST_INFORMAT) Maintain One Solution and Display All Other Solutions Problem: User A needs to use Maintenance Optimizer for a number of systems which are contained in solution XXX. He/she should not be able to do anything in all other existing solutions, but should be able to see them. Solution: role SAP_SM_SOLUTION_DIS needs to be maintained with authorization object D_SOL_VSBL. D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for solution XXX. The role for Maintenance Optimizer SAP_MAINT_OPT_ADMIN is granted as well. Explanation: D_SOL_VSBL with 03 + * and 02 + gives authorization to display all solutions but only editing rights for one specific solution. Only for within the solution with editing rights the user is able to work with Maintenance Optimizer. Create Solution and Display All Problem: User A should be able to create solutions and display XXX and YYY. Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained as follows: remove activities 02 + 06 (leaving 01 + 03) for solution-IDs for XXX and YYY. Explanation: Activity 01 is independent of solution-IDs. Activity 03 grants display only for the mentioned solutions. Project Administration (see as well IMG activity: SOLMAN_RECOMMEND -> authorizations -> Project Administration) Restriction of System Landscape Problem: The system administrator creates the system landscape for your project. The project manager maintains all other data for the project, in the project administration. Your system administrator should not have access to other project data than the system landscape. Solution: In role SAP_SOL_PROJ_ADMIN_* (contained in composite role SAP_SOL_*_COMP) he/she should receive the value 03 (display) for S_PROJECT and SYST (access to system landscape maintenance in a project) for S_PROJ_GEN. Digital Signature (see as well IMG activity: SOLMAN_DIGSIG_INFORM) Restriction by Authorization Group Problem: User A may execute individual signatures to which the authorization group PROD (production) has been assigned but is not allowed to execute individual signatures with authorization group QUAL (quality assurance). assurance) . Solution: In role SAP_SOL_KW_* authorization object C_SIGN_BGR, C_SIGN_BGR, he/she is assigned authorization authorizat ion PROD for PROD for field SIGNAUTH . Document Management (see as well IMG activity: SOLMAN_DOCU_INFORMAT) Unlocking of Documents Problem: You want to allow a user to unlock documents which are locked by a status schema. Solution: This can be controlled with the authorization object S_IWB and the activity 95. Project Restriction
46
April 2008
Security Guide: SAP Solution Manager 7.0 as of SP16 Problem: You want users who are assigned to a project to only be able to search for, edit or display the documents for this project. Solution: This can be done with the combination of folder group and project authorizations. When documents are created for a project, the system puts them in a folder group which is assigned to the project, and its name, e.g. the folder group with the name is assigned to the project . You restrict the following authorization object:
S_PROJECT with field PROJECT_ID
S_IWB and S_IWB_ATTR with field IWB_FLDGRP
Solution Monitorin Monitoring g (see as well IMG activity: SOLMAN_MON_INFORMATI) Session Restriction Problem: The authorization object D_SOLMANBU controls the allowed activities for each session (BundleID), for the scenario Solution Monitoring. You want to restrict access to the Self-Service SAP EarlyWatch Health Check . SAP delivers no default role for this session. Solution: Copy the role SAP_OP_DSWP, and give the authorization object D_SOLMANBU the BundleID EW_SELF. Monitoring Graphic Restriction Problem: You want the user to able to display the Monitoring Graphic, but no further access to alerts or CSA sessions. Solution: Solution: In role SAP_OP_DSWP in authorization object D_SOLM_ACT remove activities 80 and 81.
April 2008
47