SAPME 151 Secuirty Guide

Security Guide Document version: 1.0 – 2015-10-26

SAP Manufacturing Execution 15.1

CUSTOMER

Document History

Caution

Before you start the SAP Manufacturing Execution (SAP ME) 15.1 implementation, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/ securityguide

SAP Busin Business ess Suite Appl Applicat ications ions

SAP Manuf Manufactu acturing ring .

The following table provides an overview of the most important document changes. Table 1 Version

Date

Description

1. 0

2015-10-26

First version

CUSTOMER © Copyright 2015 SAP SE or an SAP affiliate company.

2

All rights reserved.


Document History

Content

1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

2

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 4.1 4.2 4.3

User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Ma Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6 6.1 6.2

Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

7

Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

8

Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

9

Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10

Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

11

Configuring Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

10 10 12 12

23

CUSTOMER SAP Manufacturing Execution 15.1

Content

© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved.

3


4



1

Introduction

Caution

This guide does not replace the daily operations handbook, which we recommend customers create for their specific productive operations operations..

Target Audience ●

Technology consultants

●

System administrat administrators ors

This document is not included as part of the installation guides, configuration guides, technical operation operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the security guides provide information that is relevant for all life cycle phases.

Why Security Is Necessary With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation manipulation of your system should not result in loss of information or processing time. These demands on security apply to SAP ME. To assist you in securing SAP ME, we provide this Security Guide.

About This Document The Security Guide provides an overview of the security-relevant information that applies to SAP ME.

Overview of the Main Sections The Security Guide comprises the following main sections: ●

Before You Start This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

●

Technical System Landscape This section provides an overview of the technical components and communication paths that are used by SAP ME.

●

User Administration and Authentication This section provides an overview of the following user administration and authentication aspects:

●

○

Recommended tools for user managemen managementt

○

User types that are required by SAP ME

○

Standard users that are delivered with SAP ME

Authorizations This section provides an overview of the authorization concept that applies to SAP ME.

●

Network and Communication Security


Introduction


5

This section provides an overview of the communication paths used by SAP ME and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level. ●

Data Storage Security This section provides an overview of any critical data that is used by SAP ME and the security mechanisms that apply.

●

Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications applications that are used with SAP ME.

●

Other Security-Relevant Information This section contains information about the following:

●

○

JavaScript

○

Java Web Start

○

ActiveX

Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information.


6



Introduction

2

Before You Start

Fundamental Security Guides SAP ME is a J2EE application that runs on SAP NetWeaver AS Java. Therefore, the corresponding SAP NetWeaver Security Guide applies Guide applies to SAP ME. The SAPMEINT component runs on SAP Manufacturing Integration and Intelligence (SAP MII). Therefore, the corresponding SAP MII Security Guide applies Guide applies to the SAPMEINT component. If you are using SAP ME with SAP HANA database, SAP HANA Security Guide applies. Guide applies. Table 2: Fundamental Security Guides Title

Location

SAP NetWeaver 7.5 Security Guide

help.sap.com Plat Pl atfo form rm

SAP SA P NetW NetWea eave verr

SAP SA P Ne NetW tWea eave verr 7.5

SAP SA P NetW NetWea eave verr

Secu Se curi rity ty In Info form rmat atio ion n

Security Guide SAP MII 15.1 Security Guide

service.sap.com/securityguide Applications

SAP Manufacturing

SAP Business Suite Security Guide SAP MII

15.1 SAP HANA Security Guide

help.sap.com/hana

For a complete list of the available SAP Security Guides, see service.sap.com/securityguide

on the SAP Service

Marketplace.

Important SAP Notes The SAP Notes that apply to SAP ME are in the following table: Table 3: SAP Notes SAP Note Number

Title

1363812

SAP ME key field character restrictions

1573547

Service user authorization roles in SAP ME I ntegration

1590008

Java output encoding

2159438

Changes in JMS Authorization Mechanism

Additional Information For more information about specific topics, see the quick links as shown in the following table: Table 4: Quick Links to Additional Information Content

Quick Link on the SAP Service Marketplace

Security

/security

Security Guides

/securityguide


Before You Start


7

Content

Quick Link on the SAP Service Marketplace

Related SAP Notes

/notes/securitynotes

Released Platforms

/pam

Network Security

/network

Technical Infrastructure

/ti

SAP Solution Manager

/solutionmanager

SAP NetWeaver

/netweaver


8



Before You Start

3

Technical System Landscape

Please see the Software Units of SAP Manufacturing Execution and Execution and System Landscape sections Landscape sections of the SAP ME 15.1 Master Guide at Guide at

service.sap.com/instguides Manufacturing Execution 15.1 .

SAP SA P Busi Busine ness ss Sui Suite te App Appli lica cati tion ons s

SAP SA P Manu Manufa fact ctur urin ing g

SAP SA P


Technical System Landscape


9

4

User Ad Administration an and Au Authentication

While SAP ME uses the administra administration tion and authentication mechanisms provided with the SAP NetWeaver platform to manage SAP ME users, administration is done in both in SAP NetWeaver and SAP ME 15.1. In SAP NetWeaver, you administer security-related information. In SAP ME User Maintenance and Maintenance and User Group Maintenance, you administer shop floor related information. For more information about administration of users in SAP NetWeaver, see the SAP NetWeaver 7.5 Security Guide on SAP Service Marketplace at service.sap.com/securityguide NetWeaver 7.5 Security Guide .

SAP Net NetWea Weaver ver 7.5 Sec Securi urity ty Guid Guides es

SAP

In addition to these guideline guidelines, s, below we include information about user management that specifically applies to SAP ME.

4 .1

User Ma Management

User management for SAP ME uses both the mechanisms provided with the SAP NetWeaver Application Server and SAP ME activities. For an overview of how these mechanisms apply for SAP ME, see the sections below. In addition, we provide a list of the standard users required for operating the SAP ME application.

User Administration Tools The following table shows the tools for user management and user administration with SAP ME. Table 5: User Management Tools Tool

Detailed Description

User Management Engine with SAP NetWeaver AS

For more information, see User Management Engine in the SAP

Java

Library.

User Maintenance and Maintenance and User Group Maintenance in Maintenance in

For more information, see

SAP ME 15.1

Mgmt Mg mt

help.sap.com

SAP SA P Ma Manu nufa fact ctur urin ing g Exe Execu cuti tion on

Execut Exe cution ion 15. 15.11

System Sys tem Con Config figura uratio tion n

Product Lifecycle

SAP SA P Man Manuf ufac actu turi ring ng .

User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types required for SAP ME 15.1 include: ●

Individual users: ○

●

General SAP ME users

Technical users: ○

Communication Communicatio n users are used for SITE_TO_SITE functionality

○

Communication Communicatio n user MESYS is used for SAP ME and SAP MII integration


10



User Administration and Authentication

Communication Communicatio n user ADSuser is used for printing documents in SAP ME through the SAP NetWeaver

○

Adobe Document Server Server (ADS) (ADS)

Standard Users The table below shows the standard users that are necessary for operating SAP ME 15.1: Table 6 System

User ID

SAP ME SITE_ADM

IN

Type

Password

Description

SAP ME general You specify the initial

The initial user for SAP ME 15.1 with access to all

users

password in SAP

activities

NetWeaver

During the configuration of SAP ME, the SAPMECTC

Administrator during installation/ configuration of SAP ME 15.1

CTC wizard automatically creates SITE_ADMIN user with the provided password in SAP NetWeaver. In SAP ME NetWeaver, CTC automatically assigns the

SITE_ADMIN user to SAP_ME_USER, SAP_ME_INTEGRATOR, and SAP_ME_ADMINISTRATOR roles.

SAP ME,

MESYS

SAP MII

Communication You specify the initial

Used for system-to-system communication between

users

password when running

SAPMEINT and SAP ME 15.1 Core.

SAPMEINT CTC

During the configuration of SAPMEINT, the

configuration wizard

SAPMEINTCTC CTC wizard automatically creates

(SAPMEINTCTC)

MESYS user with the provided password in SAP NetWeaver on SAP MII and SAP ME instances. On SAP ME NetWeaver, CTC automatically assigns the

MESYS user to SAP_ME_USER, SAP_ME_INTEGRATOR, and ROLE_SAPMEINT roles. In SAP ME, this user has SYSTEM group and no permissions to run any activity. For more information about authorization roles, see SAP Note 1573547 SAP ME ADSuser

.

Communication You specify the initial

If you plan to print your documentation through ADS,

users

password in SAP

you have to create the ADSuser user in SAP

NetWeaver

NetWeaver UME. For information about configuration

Administrator during

of SAP NetWeaver Adobe Document Server (ADS),

creation of the user

see Creating a User for Authentication to ADS in a Java Environment section Environment section at instguidesnw NetW Ne tWea eave verr Li Libr brar ary y

service.sap.com/

SAP SA P Net NetWe Weav aver er 7. 7.5 5 Func Fu ncti tion onal al Vi View ew

NetWea Net Weaver ver by by Functio Functional nal Area Areas s Servic Ser vices es for Form Form Proce Processi ssing ng

SAP SA P SAP SA P

Adobe Ado be Docume Document nt Config Con figuri uring ng Adobe Adobe

Document Services for Form Processing (Java)

.

Recommendation

For users automatically created during installation/configuration, installation/configuration, create additional users with new user IDs and passwords.




11

Creating SAP ME General Users To create additional users for SAP ME, do the following: 1.

Create Crea te a use userr in in the the SAP NetWeaver Identity Manager tool Manager tool and assign the necessary UME security roles to this user. For more information about SAP NetWeaver UME security roles for SAP ME, see SAP NetWeaver UME Security Roles and Actions section Actions section of this guide.

2.

Log Lo g on to you yourr SAP SAP ME si site te as as SITE_ADMIN. For more information about SAP ME logon, see SAP ME 15.1 Installation Guide at Guide at instguides

SAP Busin Business ess Suite Appl Applicati ications ons

SAP Manuf Manufactu acturing ring

service.sap.com/

SAP Manuf Manufactu acturing ring Execu Execution tion 15.1 .

3.

On th the e ini initi tial al User Maintenance screen, Maintenance screen, retrieve a user ID for a user created in SAP NetWeaver UME.

4.

On the Main tab page of User Maintenance, Main tab Maintenance, add details about the user, if needed.

5.

On the User Groups tab Groups tab page, add the user to one or more user groups. For more information about SAP ME user groups, see SAP ME Standard User Groups section Groups section of this guide.

4.2

Use serr Dat ata a Sy Syn nch chro ron niza zattio ion n

SAP NetWeaver UME needs to c ontain entries for all users. These entries contain security and person-related information and are site-independent. site-independent. SAP ME contains shop-floor information for all SAP ME users. The following table provides correlation between UME and ME user statuses: Table 7 UME User Status

ME User Status

Active Account

Active: Allows a user to log on to SAP ME system with this user ID

Locked Account

Inactive: This user is temporarily inactive in SAP ME

User has been deleted in UME

Terminated: As you cannot physically delete users in SAP ME to ensure data integrity, this status is used to indicate that user has been deleted in UME.

For information about synchronization SAP NetWeaver UME with LDAP, see User Management Engine Installation guide in the SAP Library.

4.3 4. 3

Inte In tegr grat atio ion n Into Into Si Sing ngle le Sig Signn-On On En Envi viro ronm nmen ents ts

SAP ME 15.1 supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. Therefore, the security recommendations and guidelines for user administrati administration on and authentication as described in the SAP NetWeaver Application Server Security Guide also apply to SAP ME 15.1. The most widely-used widel y-used supported supported mechanisms are listed below. ●

Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.


12




●

SAP logon tickets SAP ME 15.0 supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket. Recommendation

If you use the POD on shared terminal, turn off the SAP Logon Tickets feature, Tickets feature, since SAP ME is configured out-of-the-box with SAP Logon Ticket. In order to do that, the login module stack for SAP ME should only include BasicPasswordLoginModule in SAP NetWeaver User Authentication and Single Sign-On. The value for HTTP session timeout of PODs is configured in POD Maintenance of Maintenance of SAP ME. ●

Client certificates As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information about the available authentication mechanisms, see User Authentication and Single Sign-On at help.sap.com/nw75 SAP NetWeav NetWeaver er 7.5 Library Library SAP NetWeav NetWeaver er Library: Library: Functi Function-Or on-Oriente iented d View Solution Solu tion Life Cycl Cycle e Managem Management ent Secu Security rity and User Admi Administr nistratio ation n Admi Administr nistratio ation n for User Authe Authentica ntication tion and Single Sign-On (SSO) .




13

5

Authorizations

While SAP ME uses the authorization concept provided by the SAP NetWeaver AS Java, authorization is done in both SAP NetWeaver and SAP ME activities. Therefore, the recommendations a nd guidelines guidel ines for authorizations as described in the SAP NetWeaver AS Security Guide Java Java also also apply to SAP ME. SAP ME activities used for user authorization authorizatio n are described in the following section of this guide. The SAP NetWeaver authorization concept is based on assigning authorizations authorizations to users based on roles. For role maintenance,, use the User Management Engine’s user administration console on the AS Java. maintenance Note

For more information about how to create roles, see Role Maintenance in Maintenance in the SAP Library. For more information about creating roles, see help.sap.com/nw75 SAP SA P NetW NetWea eave verr 7.5 Lib Libra rary ry SA SAP P NetWeaver NetWe aver Compo Compositi sition on Envir Environme onment nt Admi Administr nistrator' ator's s Guid Guide e Admi Administe nistering ring Compo Compositio sition n Envir Environmen onmentt Administration of Users and Roles .

Standard Roles SAP NetWeaver UME Security Roles and Actions During deployment of SAP ME, the following SAP NetWeaver UME security roles are created to identify users who will use the system: Table 8 SAP NetWeaver UME Security Role Name

SAP NetWeaver UME Security Role Description

SAP_ME_ADMINISTRATOR

Identifies SAP NetWeaver users that are granted access to admin, integration and solution verification interfaces

SAP_ME_USER

Identifies users that are allowed to log on to the SAP ME application through the Web interface

SAP_ME_INTEGRATOR

Identifies users that are allowed to use Web service, production, site-to-site and data exchange interfaces

SAP_ME_READONLY

Supports SAP ME audit functionality. Users with the role can read all data, but is not allowed to add or edit records.

ROLE_SAPMEINT

Users with this role can see the menu SAP ME ERP Integration on Integration on the navigation pane in SAP MII. The users assigned to this role also have access to the data servers SAPMEINT and SAP ME WIP in SAP MII.

You assign these four roles to your SAP ME users to grant them corresponding rights and ability to work with the services they require. Note

As of SAP ME 15.1, the SAP_ME_USER role includes Java message service (JMS) actions needed to execute SAP ME transactions that use JMS. For more information, see SAP Note 2159438

.


14



Authorizations

Caution

All the roles described in the previous table need to be manually modified before their assignment to users to eliminate the risk of losing associations. We recommend that you assign the Manage_My_Password action to all these roles. If SAP ME is undeployed undeployed,, roles that have not been modified will be deleted and associations between roles and users will be lost. For more information informatio n about about assigning roles, see Assigning Principals Principals to Roles Roles or Groups at Groups at

help.sap.com/nw75

SAP Net NetWea Weaver ver 7.5 7.5 SA SAP P NetWea NetWeaver ver 7.5L 7.5Libr ibrary ary SAP NetW NetWea eaver ver Comp Composi ositio tion n Envir Environm onment ent Administrator's Guide Administering Composition Composition Environment Environment Administration of of Users and Roles Roles . You assign UME security role actions to UME security roles to grant additional rights to your SAP ME users.

Execution of Custom User Scripts SAP ME 15.1 provides an approach to allow or deny creation and execution of custom user scripts on the application back-end. Caution

Scripting functionality is a powerful tool that allows access to generic functions and system resources, thus, authorization authorizatio n must be given to appropriate personnel only. Execution of scripts can potentially harm the system if used by unauthorized personnel. personnel. As an additional measure, ensure that logging of script creation/exe creation/execution cution is appropriatel appropriately y configured. For more information, see the Security Logging and Tracing section Tracing section of this guide. The following security role actions are available for that purpose: Table 9 SAP NetWeaver UME Security Role Action

SAP NetWeaver UME Security Role Action Description

ME.Service.ManageScript

Allows SAP ME user to create and save routings and data collection values with custom scripts and formulas

ME.Service.ExecuteScript

Allows SAP ME user to execute custom routing scripts or formulas in Data Collection parameters Collection parameters

You have to assign the actions described above to all UME security roles and users that need to create or execute routing scripts or data collection parameters with defined formulas. Proceed as follows: 1.

Log on to SAP NetWeaver Administrator Administrator using using the following URL: http:// :/nwa.

2.

Choose Co Conf nfig igur urat atio ion n SAP_ME_USER.

Secu Se curi rity ty

Iden Id enti tity ty Mana Manage geme ment nt

Sear Se arch ch Crit Criter eria ia:: Role Role and search for

3.

Choose Modify Modify..

4.

On the Assigned Actions tab Actions tab page, search for ME.Service.ManageScript and/or ME.Service.ExecuteScript in the Available the Available Actions Actions list, list, and add them to Assigned Actions. Actions.

5.

Save Sa ve yo your ur en entr trie ies. s.

For more information about assigning actions, see Assigning Principals Principals to Roles Roles or Groups at Groups at nw75

SAP Net NetWea Weaver ver 7.5 7.5

Administrator's Guide

SAP NetW NetWeav eaver er 7.5 7.5 Librar Library y

help.sap.com/

SAP NetW NetWeav eaver er Compo Composit sition ion Envi Environ ronmen mentt

Administering Composition Composition Environment Environment

Administration of of Users and Roles Roles .


Authorizations


15

Authorizations in SAP ME Site Authorization During installation installation of SAP ME, a master site called the global site is created. The name of the global site is indicated by an asterisk ( *). Some default values, such as system rules, can be set at the global site level, then inherited at the site level, and changed at the site level, if required. Within the system, each site operates independently independe ntly and maintains its own elements, such as materials, bills of material, and routings. In SAP ME, production data is segregated according to the site. Set of activities act ivities user has access to depends on the site the user logged on. You can grant user access to site by assigning this user to user group in User Maintenance in SAP ME. On the Permissions Permissions tab tab page of User Group Maintenance, Maintenance, you select the activities you want users in each group to be able to access. You can modify the default permissions permissions for each SAP ME standard user group to meet your specific requirements requirements.. You assign a user in specific groups to a specific site in User Maintenance in Maintenance in SAP ME. When users log on to SAP ME site for the first time, they are automatically logged logged on to their default site. To assign a default site to a user in UME, first you need to create the Default Site field Site field in SAP NetWeaver. To do this, proceed as follows: 1.

In Identity Management, Management, choose the Configuration Configuration button. button.

2.

On the Configuration Configuration screen, screen, choose the User Administrator UI tab UI tab and choose the Modify Configuration button.

3.

In the Adminstrator-Ma Adminstrator-Management nagement Custom Attributes Attributes field, field, enter the following data: SAPME:DEFAULT SITE.

4. Sa Save ve yo your ur ent entri ries es.. After you have created the Default Site field, Site field, you can assign default site to a user as follows: 1.

Log on on to SAP SAP NetWe NetWeave averr as admi adminis nistra trator tor user user..

2.

Navigate to to Identity Management and Management and select user that you want to assign default site to.

3.

Choose Modify Modify button button and on the Customized Information tab Information tab page, enter name of the site in the Default Site field. Note that you have to assign user to this site prior assigning this site as default for this user.

4. Sa Save ve yo your ur ent entri ries es.. 5.

Repeat Rep eat the these se step steps s for for each each use user. r. Note

If you create the Default Site field Site field in SAP NetWeaver UME, but do not define a default site for the user in UME User Configuration, Configuration, on the first logon the user will be redirected to the site that comes first alphabetically alphabetically in the list of sites where this user is defined. Once users logged on to SAP ME application to their default site, they can switch between SAP ME sites assigned to them in UME, using Site Selection functionality. Selection functionality. By clicking the Site Site link, link, users can view the list of their sites and choose the destination site on the Site Selection screen. Selection screen. The Site Site link link is located on the menu bar at the top right of the screen near the Logout Logout,, About About and and Help Help links. links. Once a user selects a specific site on the Site Selection screen, Selection screen, the current HTTP session of the user becomes invalidated invalidated and a new session is established for the selected site. User logon to a new session is completed by means of SAP logon tickets. You can find more information about SAP logon tickets under User Authentication and Single Sign-On [external Sign-On [external document] in the SAP Library. For more information about Site Selection, Selection, see Execut Exe cution ion

SAP Man Manufa ufactu cturin ring g Exe Execut cution ion 15. 15.11

help.sap.com

Produc Pro ductt Lifecy Lifecycle cle Mgmt Mgmt System Sys tem Con Config figura uratio tion n .

SAP SA P Manufa Manufactu cturin ring g


16



Authorizations

SAP ME Standard User Groups You can use SAP ME User Group Maintenance to Maintenance to assign authorizations to users in user groups. For more information about creating user groups, see help.sap.com Produc Pro ductt Lifecy Lifecycle cle Mgmt Mgmt Execut Exe cution ion SAP Man Manufa ufactu cturin ring g Exe Execut cution ion 15. 15.11 Sys System tem Con Config figura uratio tion n .

SAP SA P Manufa Manufactu cturin ring g

The following table shows the standard user groups that are used by SAP ME: Table 10: SAP ME Standard User Groups User Group

Description

Administrators

User with permissions to all activities in SAP ME at the administrative level

Engineers

User with permissions to activities in SAP ME applicable to production engineers

Managers

User with permissions to activities in SAP ME applicable to production managers

Operators

User with permissions to activities in SAP ME applicable to production operators

Supervisors

User with permissions to activities in SAP ME applicable to production supervisors

Authorizations in SAP ERP for SAP SA P ME ERP Integration Integration (SAPMEINT) If SAP ME is integrated with SAP ERP, SAP ME is dependent on SAP ERP in terms of several master and transactional data: material master, bill of material, routing, production order, planned order, and quality inspection. SAP ERP users who work on these objects must have a ppropriate authorization authorizatio n in SAP ERP to create, modify, and export these objects. Ensure that all required authorization are provided to the SAP ERP users. For more information, see the following SAP ERP help topics: ●

Production Planning (PP): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP CrossCross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Manu Ma nufa fact ctur urin ing g

Auth Au thor oriz izat atio ions ns

●

Materials Management (MM): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP Cross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Materials Mater ials Manageme Management nt (MM) Purc Purchasi hasing ng and External External Service Service Procuremen Procurementt (MM-PUR, (MM-PUR, MM-SRV) MM-SRV) Inventory Management (MM-IM): Authorizations

●

Quality Management (QM): help.sap.com/erp606 Application Help Help SAP Library Library SAP ERP Cross Application Functions Functions SAP ERP Security Guides SAP ERP Central Central Component Security Security Guide Logistics Qualit Qua lity y Managem Management ent (QM) (QM)

Author Aut horiza izatio tions ns (QM) (QM)

For DRF communication, the DRF_ADM and DRF_RECEIV authorization objects are required. For more information,, see information

help.sap.com/mdg61

with wi th Mas Master ter Dat Data a Gov Gover ernan nance ce

Application Help Help

Gener Gen eral al Fun Functi ctions ons

SAP Library Library

Master Data Governance Governance

Working

Data Dat a Rep Replic licati ation on

See also SAP Note 1573547 for the authorization required for the technical user that is used to send information from SAP ME to SAP ERP.

Authorizations to View SAP MII SPC Charts from SAP ME To view SAP MII SPC charts from SAP ME, configure one of your user's roles as follows: ●

Add the role to Visiprise/SPC/DefaultChartTemplate using the SAP MII Workbench.

●

Add the role to Visiprise/SPC/DefaultQueryTemplate using the SAP MII Workbench.

●

Add the XMII_USER action to the role using SAP NetWeaver Administrator. Administrator.


Authorizations


17

●

Assign the role to the XMLConnector server in the SAP MII database table XMII_SERVERPRMMAP.


18



Authorizations

6

Network an and Co Communication Se Security

Your network infrastructure is very important in protecting your system. Your network needs to support the communication necessary necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN, they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP ME is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also Guide also apply to SAP ME. Recommendation

We highly recommend that you install SAP ME behind a corporate firewall. The following table shows the additional default ports used by SAP ME: Table 11 Port

Description

1521 15 21

Used Us ed by Or Orac acle le SQ SQL L*N *Net et Li List ste ene ner; r; th this is po port rt is ap appl plic icab able le if yo you u are usi sing ng Or Orac acle le fo forr yo you ur SAP ME databases

1433 14 33

Used Us ed by Mi Mic cro roso soft ft SQ SQL L Se Serv rve er to to lilist ste en for for re requ ques ests ts;; thi this s por portt is is ap appl pliica cabl ble e if yo you u ar are e us usin ing g MS MS SQ SQL Server for your SAP ME databases

3001 30 015 5

Used Us ed by SA SAP P HAN HANA; A; th thiis por portt is is app appli lica cabl ble e ifif you you are us usiing SA SAP P HAN HANA A for for yo your ur SA SAP P ME ME dat datab abas ases es

1099

Used for RMI communication when SAP ME SPC server is Statit

7994

Used for HTTP communication when SAP ME SPC server is Statit

8082

Used for HTTP communication when SAP ME SPC server is Statit

For a complete list, see the technical documentation provided by the database vendor.

Login Module Stack SAP ME out-of-the-box is shipped with the following configuration of login module stack: Table 12 Login Module Name

Login Module Flag

Login Module Description

Evalua Eva luateT teTick icketL etLogi oginMo nModul dule e

SUFFIC SUF FICIEN IENT T

Allows to authenticate users by SAP logon ticket

BasicP Bas icPass asswor wordLo dLogin ginMod Module ule

REQUIS REQ UISITE ITE

Allows to authenticate users by user ID and password

Crea Cr eate teTi Tick cket etLo Logi ginM nMod odul ule e

OPTI OP TION ONAL AL

Creates SAP logon ticket after successful authentication




19

6.1

Comm Co mmu unic ica ati tio on Ch Chan ann nel Se Secu curi ritty

The table below shows the communication channels used by SAP, the protocol used for the connection, and the type of data transferred: Table 13: Communication Path Communication Path

Protocol Used

Type of Data Transferred

Front-end client using a certified web

HTTP

Authentication; application

Java API


SAP ME Scripts to application server

RMI-P4

Application

SAP ME Scripts to SAP ME databases

JDBC


SAP ME application server to SAP ME

RMI; HTTP

Application

JDBC

Application

browser to SAP ME application server SAP MII application server to SAP ME application server for SAPMEINT

SPC server when Statit is used Application server connection to SAP ME databases

HTTP, SOAP over HTTP, and RMI-P4 connections are protected using SSL protocol. RMI connections cannot be protected. JDBC connections are protected using driver-provided encryption. For more information, i nformation, see Network Security in Security in the SAP NetWeaver Application Applica tion Server Java Security Guide on Guide on SAP Service Marketplace at service.sap.com/securityguide NetWeaver 7.5 Security Guide .

6.2

SAP SA P NetWe NetWeave averr 7.5 Secu Securit rity y Guide Guides s

SAP

Comm Co mmu unic ica ati tio on Des Desti tina nati tio ons

SAP ME does not deliver pre-configured RFC or JCo destinations or ports.


20




7

Data Storage Security

SAP ME stores J2EE application data in the SAP NetWeaver 7.5 database. For more information, see the SAP NetWeaver 7.5 Security Guide on Guide on SAP Service Marketplace at service.sap.com/securityguide

SAP NetWea NetWeaver ver 7.5 Secu Security rity Guide Guides s

SAP NetWea NetWeaver ver 7.5 Secu Security rity Guide Guide .

SAP ME stores business data in WIP, ODS, and optional GODS relational databases. databases. You can c an use Microsoft SQL Server, Oracle, or SAP HANA for your SAP ME database management system. If you are using SAP HANA as your SAP ME database management system, see SAP HANA Security Guide. Guide . For more information, see documentation provided by your database vendor. When you create your database, a specific user ID with password is defined. This password and user ID is later added to Data Source in Source in SAP NetWeaver Installation Wizard. Wizard .

SAPMEINT SAPMEINT uses SAP MII 15.1 for business transactions transactions integrated with SAP ERP systems. The data exchange between SAPMEINT and the SAP ERP system is carried out using IDocs.

SAP ME Scripts SAP ME Scripts automate various tasks for the SAP ME WIP and ODS databases. These scripts are configured to run as scheduled tasks in a productive environment. Note

If you are using SAP ME with SAP HANA database, SAP ME Scripts are not applicable. During SAP ME Scripts installatio installation n all the required information information is collected from the user. Passwords for WIP/ODS/GODS WIP/ODS/GOD S databases are encrypted and then stored in the secstore.properties property file. The encryption is achieved using the iaik_jce.jar SAP NetWeaver library. The iaik_jce.jar file is not bundled with SAP ME Scripts and is located within the SAP NetWeaver server. The location of this jar file is defined at runtime using the SAP NetWeaver server system name and SID information provided by the user.

Temporary Printing Directory SAP ME provides functionality to configure a directory on the application server to which you can write files. You can configure third-party applications to retrieve and print files from this directory. For more information, see

help.sap.com

Manufactu Manu facturing ring Execu Execution tion 15.1

Prod Pr oduc uctt Life Lifecy cycl cle e Mgmt Mgmt Document Docum ent Mana Manageme gement nt .

SAP SA P Manu Manufa fact ctur urin ing g Exec Execut utio ion n

SAP SA P


Data Storage Security


21

8

Security fo for Ad Additional Ap Applications

If you are using Statit as your SAP ME SPC server, Statit e-Server 5.4 is required. Contact the vendor to secure Statit e-Server in your system landscape.


22



Security for Additional Applications

9

Other Security-Relevant Info forrmation

JavaScript SAP ME uses JavaScript in many of the front-end web pages and you must enable it.

Java Web Start Several user interfaces in SAP ME are implemented as rich clients using Java Web Start technology. Download and execute Java Web Start.

ActiveX With Statit as your SAP ME SPC server, ActiveX controls are used in many of the front-end Web pages. If you use Statit, ActiveX controls must be enabled.


Other Security-Relevant Information


23

10 Se Secu curi rity ty Lo Logg ggin ing g an and d Tra raci cing ng

SAP ME uses the standard SAP NetWeaver 7.4 logging infrastructure for logging security-relevant information about logon, logout, and HTTP session time-out. For more information, see the Administrator’s Guide Guide on on the SAP Help Portal at NetWeaver 7.4 Library SAP NetWeaver Composition Environment Library .

help.sap.com/nw74

SAP

SAP ME uses Audit uses Audit Log for Log for logging maintenance changes made to audit-logged data and objects. SAP ME also uses Activity uses Activity Log for Log for logging all the shop floor activities, including production operator actions. For more information, see help.sap.com SAP SA P Busi Busine ness ss Sui Suite te Execut Exe cution ion SAP Manu Manufac factur turing ing Exec Executi ution on 15.0 15.0 .



For invalid logon events, SAP ME logs more security-relevant information in SAP NetWeaver Security Logs. Logs . In SAP ME, creation and execution of scripts are traced in SAP NetWeaver standard logs. To setup this type of tracing, choose INFO severity for trace location com.sap.me.script.ScriptBOBean in NetWeaver Log Configuration. Configuratio n. Note that location appears only after several traces are displayed. Log Productions activities and Labor Tracking data could be archived. For more information, see the SAP ME 15.0 Application Operations Guide on Guide on the SAP Help Portal at Applications

SAP Manufacturing Manufacturing

service.sap.com/instguides

SAP Business Suite

SAP Manufacturing Manufacturing Execution 15.0 .


24



Security Logging and Tracing

11

Confi fig guring We Web Se Service Se Security

Security for SAP ME 15.1 web services is based on the security of SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also Guide also apply to the SAP ME 15.1 web services. Note

To provide web services access to users, the proper authorization roles must be assigned. For more information,, see information see Authorizations in this guide. Authorizations in By default, SAP ME 15.1 web services are configured with HTTP Basic Authentication over HTTP. It is possible to create additional security constraints through SAP NetWeaver Administrator. Administrator. For more information, see Configuring Individual Web Services Services at at help.sap.com/nw75 Functional View SAP NetWe NetWeaver aver by Functi Functional onal Area Areas s SAP NetWe NetWeaver aver Libr Library: ary: Funct Functionion-Orien Oriented ted View Appl Applicat ication ion Serv Server er Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Administration Configuri Confi guring ng Web Web Servi Services ces and Web Serv Service ice Clien Clients ts Confi Configurin guring g Web Web Servi Services ces Confi Configuri guring ng Indivi Individual dual Web Services . You can configure SAP ME web services all at once with a communication profile. For more information, see Preparing Communication Profiles at Profiles at help.sap.com/nw75 Functi Fun ctiona onall View View SAP NetW NetWeav eaver er by Funct Function ional al Areas SAP NetWeaver Library: Function-Oriented Function-Oriented View View Application Server Server Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Configuring Web Services Services and Web Service Clients . For information about assigning a communication profile to an application’s web we b services, see Configuring Web Services Exposed by Applications Applications at at help.sap.com/nw75 Functi Fun ctiona onall View View SAP NetW NetWeav eaver er by Functi Functiona onall Areas SAP NetWeaver Library: Function-Oriented Function-Oriented View View Application Server Server Application Server Server Java Administering Application Application Server Server Java Administration Web Service Administration Configuring Web Services Services and Web Web Servi Service ce Clien Clients ts Con Config figuri uring ng Web Web Servic Services es Con Config figuri uring ng Group Groups s of Web Web Servic Services es .


Configuring Web Service Security


25

Typographic Conventions

Table 14 Example

Description

Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your ”. ”.

Exam Ex ampl ple e

Exa Ex amp mple le

Arrows separating the parts of a navigation path, for example, menu options

Example

Emphasized words or expressions

Example

Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com

Textual cross-references to an internet address

/example

Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Example

Hyperlink to an SAP Note, for example, SAP Note 123456 ●

Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

Example

●

Cross-references to other documentation or published works

●

Output on the screen following a user action, for example, messages

●

Source code or syntax quoted directly from a program

●

File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE

Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE

Keys on the keyboard


26



Typographic Conventions

www.sap.com

© Copyright 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate c ompany) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

SAPME 151 Secuirty Guide

Recommend Documents