P. 1
26198826 Security Guide SAP Solution Manager 7 0 EHP 1 and SP 19

26198826 Security Guide SAP Solution Manager 7 0 EHP 1 and SP 19

|Views: 24|Likes:
Published by Aleksandr Smyatkin

More info:

Published by: Aleksandr Smyatkin on Sep 05, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/05/2010

pdf

text

original

n

n
n


















n

n

n



















n


n



n


n


n



n


n







n

n


n



n

n


n



n

n



n

n








n


n


n

n


n



n


n

n


n


n


n


n


n



n


n


n


n









n


n



n







n


n

n

n

n


n


n


































































“ ”



































































n

n

n

n





n

n

n





n

n

n

n






n

n



n







n

n

n




























n


n


n


n


n

n

n


n

n





n


n




n































































































































n


n



n




























































































— —







— —
















































n

n

n

n

n










n

n









n




n



























n

n










n

n

n

n

n

n

n


























































































































































































































































































n


n




















n


n




























































































































































































































































































































































































































n


n


n











n


n




n








































































































































































































n

n

n

n

n

n

n

n








“ ”

n

n

n


n



n
























































































n


n














































“ ”

n

n

n


n



n





































n


n





































“ ”

n

n

n


n



n



































































“ ”

n

n

n


n



n



n






n




































“ ”



n

n

n

n



n





























“ ”










n




n


n

























































































“ ”



n

n

n

n



n







































“ ”



n

n

n

n



n


















“ ”










n




n


n









































“ ”



n

n

n

n



n






























“ ”



n

n

n

n



n




















“ ”




n

n

n

n



n































n

n













n

l





u




u

u

u


u

n

l

n

l










































n



n


n

n


n


n



n

n


n

n

n







n

l

n

l

l

l

l




































n


n











n


n





n



n





n





n




n




n
“ ”












































































n

n




n

n

n

n










n




l

l

l

l


l

n




l


l

l

n




n





l

l

l

l

l













n

n

n
































































































n

n





“ ”






n



“ ”




l





l









l






l






n







n





n

n



n


















n



n



n

n




n

n

n






n

n





































— —





























































n

l


l







































n













n



































































n







n

























n


n

n
















n

n

n
















n





n







n







l

l




































n

n

n
















n


n





n

n
































































n


n































n


n



























































n






n





































































n

n

n

n

n
















































































































n



n


n

n


n



n


n


n


n
















n


n


n


n









n





n



n










































































































































































































n





n







n



n









n

n

n




































n

n


















































n



n

n









































































n

n























n

n

n

n

n

n





















































n

n




































n


n






n



n


n



































“ ”



“ ”

























“ ”




























n





“ ”



n
















































n


n


























































n

n

n







n

n

n



























































































n

n





































n


n


n


































































n

n
































































n

n

n






























n

n

n





n


n


















































n

n

n

















n

n

n














n

n

n









n

n

n






















n

n

n























































































n


n














































































































































n

n

n






















n

n



































n

n




















































































































































n

n


















n

n

n

n



n

n

n

n

n

n

n





























n



n

























































































































n


n















n


n


n































































































































































































































n

n


























































































































































































































































































n

n

n


n

n

n

n


n
“ ”
n

n

n

n


n

n









n

n




n


n






n






n




























































n

n

n









































n

n

n

n










n

n

























































































n

l

n

l


l





n

l

l

l

n

l




n

l

l

l

n

l






n

l

l

n

l




n

l

l

n

l







n

l

l

l

n

l





n

l

l

n

l






n

l

n

l




n

l

l

l

n

l








n

l

l

n

l




n

l

l

n

l





n

l

l

n

l

l





“ ”










n


n

n

n

n















































“ ”









™ ’













Document History

Caution

Before you start the implementation and configuration of SAP Solution Manager, make sure you have the latest version of this document. You can find the latest version at the following location: http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> . The following table provides an overview of the most important document changes.
Support Package (Version) Date Description

SP15

06.02.2008

New roles for solution authorization. Authorization object D_SOL_VSBL is now included in the roles for solutions SAP_SM_SOLUTION_*. The authorization object is inactive in all other roles. See section: Roles in Solution Manager. It needs to be granted in addition to the role for the functionality, for instance Maintenance Optimizer. New roles for: n Job Scheduling n Issue Management n Maintenance Optimizer (additional) See section: Roles and Authorizations New roles for work center navigation. See section Work Center Navigation Roles and the example it contains Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. See section: Communication Destinations.

SP16

New roles for Solution Documentation Assistant See sections: Roles and Authorization and section Work Center Navigation Roles New roles for Third Party Product: BMC AppSight for SAP Client Diagnostics See section: Roles and Authorizations Values for authorization object S_RFC in role SAP_SOLMANDIAG_E2E extended

SP17

2/172

PUBLIC

03/30/2009

Support Package (Version)

Date

Description

EhP1 (1.0)

15.12.2008

Changes in sections n navigation in all work centers , see according sections on work center navigation roles. n menu entries for composite role SAP_SMWORK_ADMINISTRATOR_COMP deleted due to restrictions in SAP NetWeaver Business Client (NWBC), see section How to Create Composite Roles n role extensions for Job Scheduling Management, see section Roles for Job Scheduling Management n role extension for SAP_SERVICE_CONNECT for SAProuter Update , see section Roles for Infrastructure n role extensions for Business Process Operation, authorization objects: SM_BPM_AUT and SM_CNT_UPD, see section Roles for Business Process Operation and Roles for SAP Engagement and Service Delivery n new profile S_SD_CREATE for RFC connection BACK for message creation, see section RFC Connections n new profile S_SM_EXECUTE for RFC connection TMW for Solution Documentation Assistant, see section RFC Connections
Note

The authorization profile S_SM_EXECUTE allows batch processing in the managing system for managed systems. You can use this profile also solely for this purpose. In this case, you have to assign the profile to the according technical user, manually. n new RFC user naming convention, see sections on technical users n new roles in Quality Gate Management SAP_SM_QGM_* , see section Roles for Change Request Management n new roles for Business Process Change Analysis (BPCA) in Work Center: Test Management, see sections Roles for Test Management and Work Center Test Management n new role for BI Reporting in Test Management SAP_BI_TWB n new role SAP_QC_WSDL_ACCESS for technical user QCALIAS , see sections Roles for Third Party Integration, and in technical users n new role SAP_SUPPCF_DISP for Service Provider display authorization, see section Roles for Service Desk for Service Provider New general How to sections on n how to find documentation on individual authorization objects n how to create work center composite roles New sections due to new developments n new roles for configuration, see section Roles for Configuration n new roles for Master Data Management (MDM) Administration Cockpit in the System Administration work center, see section Roles for Master Data Management

03/30/2009

PUBLIC

3/172

SAP_SMWORK_CHANGE_MAN_SPC.Support Package (Version) Date Description n new roles in Downtime Management SAP_SM_DTM_* . see section Roles for BI—related Reporting n SAP NetWeaver Business Client (NWBC) where appropriate SP19 Extensions in sections n Roles for Implementation and Upgrade Due to Help Center functionality: SAP_SOL_KW_ALL extended for administration n RFC Connections New profile S_KWHELP for BACK destination n Authorization object S_RFC Function groups for profile S_KWHELP n Technical Users in SAP Solution Manager System New profile S_KWHELP for back destination n Business Process Operations 4/172 PUBLIC 03/30/2009 . see sections SAPSUPPORT User. see section How to Create Work Center Composite Roles n new roles for Custom Development Management Cockpit (CDMC) roles. Roles for Configuration n SAP Support user SAPSUPPORT. see section MYHOME n special users and authorizations for CTC configuration tasks. see section SAPSUPPORT User n for automatically created business partners for SAP Engagement and Service Delivery. see Work Center for Service Provider Customers n new authorization role for Service Provider SAP_SM_SPC . Roles for Root Cause Analysis. see sections on technical users and Roles for Business Connectivity Configuration n new work center composite role SAP_SMWORK_JOB_MAN_COMP. SAP_SMWORK_INCIDENT_MAN_SPC. see section Service Provider—Specific Authorization n new work center navigation role MYHOME . see section Business Partners Created During Configuration n new work center navigation roles for Service Provider SAP_SMWORK_SYS_MON_SPC. see section Roles for Custom Development Management Cockpit (CDMC) n new role for technical framework BI extractor SAP_SM_BI_EXTRACTOR. see section Roles in Downtime Management n new roles for Root Cause Analysis .

n User Management Tools. n SAP_SOLMANDIAG_E2E and according profile S_SMDIAG_E2E. see section Technical Users in Solution Manager n SAP_SM_BASIC_SETTINGS. see SAP Note 834534 and SAP Note 831535. if existing single roles of the composite roles are extended by customers. see section Roles for Implementation and Upgrade New chapters n Secure Storage 03/30/2009 PUBLIC 5/172 . see section Authorization object S_RFC and SAP Note 1296428.Support Package (Version) Date Description Authorization object SM_BPM_AUT: per default Data Volume Management (DVM) is deselected n S-User Authorization for Data Download from SAP Additional authorization LICKEY for request of license key required n How to Create Work Center Composite Roles The concept of composite roles does not work. see section Roles for Service Desk n SAP_SM_BATCH. Changes regarding authorization objects in roles delivered before SP19 For changes in authorization objects in roles that are already delivered. How to Assign Roles to Users. and Work Center Roles Concept see SAP Note 1272331 for more information on User Comparison. n SAP_SOL_KW_ALL. see section Roles for Configuration n profiles S_CSMREG and S_AI_SMD_E2E. see section Roles for Configuration n SAP_SUPPDESK_ADMIN.

. . . . . . . . . . HTTP Connect Service for SAP Support . . . . Internet Communication Framework . . . . . . . . . . . . . . Technical System Landscape . . . . . . . . . . . . . . Links for Additional Components on Service Marketplace Using SAP Solution Manager as Service Provider . . . . . . . . . . . . . . Communication Channels . . . . . . . . . . . . . .2 5. . . . . . . . . . . Getting Started . . . . . . . . . . . . . . . . . . User SAPSUPPORT . . . . . . . .4 2. . . .4 5. . . . . . . . .3 4. . .8 Chapter 5 5. Technical/Dialog Users Created/Used in Solution Manager System Configuration . . . . . . . . . . . . User Management Tools . . . . . . . . . . . . . . . . .7 5. . . Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 4. . . . . . . . . . .1 5. . . . . . . . . . Technical/Dialog Users Created/Used During Configuration in the Managed Systems . . . .5 2. . . . . . Integration into Single Sign-On Environments (SSO) . . . . . . . . . . . . . . . . . . User Administration and Authentication . .6 5. Secure Socket Layer (SSL) for HTTP Connections . . Communication Destinations . . . . . . . . .4 4. . How to Create Users and Business Partners for End Users . . . .2 4. . . . . . . . . . How to Use This Guide . . . . . . . .5 4. . . Target Group of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network and Communication Security .1 4. . . . . . . . . . . 11 13 13 14 14 15 17 17 23 23 25 25 25 26 33 34 35 35 35 37 37 38 38 46 53 54 55 57 System Landscape . . . . . .3 5. . . . File Transfer Protocol (FTP) . . . . . . . . 6/172 PUBLIC 03/30/2009 . . . . . . . . . . . . . .2 2. . . . . . . . . .1 Chapter 4 4. . . . . . . . . . . . . . . . . . . . . . . . . . .1 2. . . . . . . . . . . . .7 4. . . . Network Topology . . . . . . . . . . . SAP Solution Manager Scenarios and Functions .8 Security Guide . Integration of Functions . . . . . . . . . . .5 5. . . . . . . . . . . . .Table of Contents Chapter 1 Chapter 2 2. . . . . . Business Partners Created During Configuration . .6 Chapter 3 3. . . . . . . . . . . . . . . . . . . .3 2. . . . . . . Required TCP/IP Ports . . . . . .

. . . Roles for Implementation and Upgrade . . . . . . . . Roles for Root Cause Analysis . . Authorization Concept . . .3 Chapter 7 7. . . . .3 6. . . . . .4. . . . . .4. . . .18 6. . . Roles for Basic Configuration in Managed Systems . . . . . . . . . . . . . . . . . . . .2 6. . . . . . . . . .1 7. . . Authorization Object S_RFC . . .6 6. . . . .4. Roles for Third Party Integration . . . . How to Create Roles for Scenario-Specific Configuration in Solution Manager Authorization Roles and Profiles for End Users . . Roles for Custom Development Management Cockpit . . . . . . . . . TMW. .15 6. . . . .4. . . . . . . . . . . . . . . . . . . . . . . . .1 6. . . . . Roles for Business Process Operations . . . . . . . . . . . Roles for BI-Related Reporting . . Roles for Service Desk . . . . . . . . . . . .4 6. . RFC Connections TRUSTED. . . . .6. Roles for Master Data Management . . . . . . . . . . . . .3. . . . .5 6. 59 59 60 60 61 62 65 66 66 69 70 72 72 75 79 80 82 85 85 87 87 88 89 91 91 92 93 96 99 100 101 104 105 105 105 106 109 109 109 110 03/30/2009 PUBLIC 7/172 . . . .6 6. . . . . . . . . .4. . . . . Roles for Change Request Management . . . . . . . . Roles for System Monitoring and System Administration . . . . . . . . . Basic Authorizations for Work Centers My Home . . . . . . . . . . .2 6.4.1 6. . Roles for Database Administration Cockpit . . . . . . . . . . . How to Assign Roles to Users . . . . . . Work Center Roles Concept . . . . .2. .1 6. . .4. . . . . . . . . . . . . . How to Update Authorizations after Support Package Upgrade . . . . . How to Create End User Roles . . . . . .8 6. . . .5 6. .11 6. . . . . . . . . . . . RFC Connections to/from Managed Systems and Critical Authorization Objects Trusted RFC Connections . . . . . . . . .4. READ. . .4. . . . . . . .6. .3.12 6. . . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . .7 6.Chapter 6 6. .10 6. . .4. . . . . . . . . . . . . . . . . Roles for Job Scheduling Management . . . . . .14 6. . . . . . . . . . . . . . .3. . . . .4. Role for TREX Administration . . . . . . . . “How To” Guides . .4. . . Roles for Test Management . . . . . . . . . . . . . . .4. .4. . . . Work Center Navigation Roles . . . . . . . .1 6. . . Roles for SAP Engagement and Service Delivery . .2. . . . . . . . .2 6. . . . . . . .2 6. . . BACK . . . . . . . .2. . .3 6. . . . . . . . . . . . . . . . . . . . Authorization Object S_RFCACL . . . . . . . . . . . . .2 6.17 6. Roles for Infrastructure . . . . . . . . . . . . .3 6. . . . . . . . . . . . . . . . . Roles for Configuration of Business System Connections .1 6. .3 6. .9 6. . . . . . .2 7. . . Roles for Basic Configuration of Solution Manager . . . Roles for Downtime Management . . . . . . . . Roles for Issue Management . . .3 Authorizations .6. . . . . . . . . .4. . . . . .4. . . . . . . . Roles for Solution Manager Configuration . . . .2. . . .19 6. . . .4 6. . .4. . . . .16 6. Roles for Change Control (Maintenance Optimizer) . . .4 6. . .4. .13 6. . . . . . . . . . . .

. .2 9. . . . . . . . . . .2 10. . . . . . . . . . . . . . . . . . . . . . . Solution Manager Administration Work Center . . . . . . . . . . . . . . Background Jobs for Change Request Management . . . Service Provider—Specific Authorization . . . . . .6 Chapter 10 10. . . . . . . . . . Business Process Operations Work Center . . . . 8/172 PUBLIC 03/30/2009 . .4 10. . . . . . .14 7. . . . .8 7. . . . . . . . . . . . .5 7. System Administration Work Center .9 7. . . . . . . . . . . . Background Jobs for Infrastructure . . . . . . . . . . . . . .8 10. .5 10. . .13 7. . . . . . .3 9. System Monitoring Work Center . Roles for Service Desk for Service Provider . . . . Job Management Work Center . . . System Landscape Management Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Background Jobs for Implementation . . . . . .6 Chapter 9 9. . .6 10. . . . . . . . . . . . . . . . . . . .11 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Background Jobs for BI Reporting . . . . . . . . . . . . Incident Management Work Center . . . .3 10. . . . . . . . SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . .10 7. . . . . . . . .7.17 Chapter 8 8. . .9 Implementation and Upgrade Work Center . . . . Background Jobs for Root Cause Analysis .2 8. . Work Center Access for Customers . . . .1 9. . Solution Documentation Assistant Work Center . . . . . . . . . . . . . . . . . . . . .16 7. . . . . . . Service Provider and Service Provider Customer Specification Service Provider Customer RFC Connections . . .4 8. Background Jobs for Service Desk . . Background Jobs for Test Management .1 8.1 10. . . . . . . . . . . . . . . . . . . . . . . . . . S-User Concept . . . . . . . 111 114 116 118 119 120 122 123 125 128 129 130 131 133 135 135 135 135 136 136 137 139 139 139 140 141 142 142 145 145 147 147 147 149 149 150 150 152 S-User Authorizations . . . . Work Center for Service Provider Customers . . .3 8. . . . . Change Management Work Center . . . .4 9. . . . . . . . . . Background Processes . . . . S-User Authorization for Service Provider Customers . . Background Jobs for SAP Engagement and Service Delivery and Issue Management . .12 7. . Background Jobs for Monitoring . . . . .15 7. . . . . . . . . . . . . . . . . . . .7 10. . . . . . . . SAP Engagement and Service Delivery Work Center . . . . . .5 9. . Root Cause Analysis Work Center . . . . . . . . . . . . S-User Authorization for Maintenance Optimizer . . . . . . . . . . . . . . . . . S-User Authorization for Data Download from SAP . . . . . .5 8. . . . . . . . . . . . . S-User Authorization for Service Connection .7 7. How to Create Work Center Composite Roles . . . . . . . . . . . . . . .4 7. . . . . .6 7. . . . . . . . . . . . Test Management Work Center . . . . . . . . . .

. . . . . . . . . . . .1.1 Chapter 12 12. . . . . . . . . . . . . . Terminology: System Landscape and Related Terms Terminology: Solution and Related Terms . . . . . . . . . . . .1 Background Jobs for Third Party Products . . . . . Traces and Logs . . .1. . . .10 10. . . . . . . . . . Traces and Logs . . . . . . . . . . . . . . . . . . . .10.1 12. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 03/30/2009 PUBLIC 9/172 . . . Appendix . . . The Main SAP Documentation Types . . . . . . . . . . Background Jobs for Service Provider . .1 12. . . . . . . . . . . . . . . . . . . Glossary . . . . 152 153 155 155 157 157 157 161 165 165 Reference . . . . . . .11 Chapter 11 11. . . . . . . . . .2 Chapter A A. . . . . . . . . . . . . . .

10/172 PUBLIC 03/30/2009 .

0“ sind von Ihrem Pflegevertrag abhängig. If you have signed exclusively standard support contracts. Die im folgenden aufgeführten Funktionen. die Bestandteil der Enterprise Edition sind. Wenn Sie ausschließlich Standard Support-Verträge abgeschlossen haben. sind Sie berechtigt. dürfen Sie dieses Softwarepaket installieren und mit eingeschränktem Funktionsumfang nutzen. but you are only allowed to use a restricted functionality. If you have a signed contract for: n n n n SAP Enterprise Support Product Support for Large Enterprises SAP Premium Support SAP MaxAttention you are authorized to use all functions in the software package. alle Funktionen des Softwarepaketes ohne Einschränkungen zu nutzen. without any restrictions. dürfen nicht genutzt werden: n Business Process Change Analyzer n Quality Gate Management 03/30/2009 PUBLIC 11/172 . Wenn Sie über einen Vertrag über: n n n n SAP Enterprise Support SAP Product Support for Large Enterprises SAP Premium Support SAP MaxAttention verfügen.1 Security Guide 1 Security Guide Caution The following note ONLY applies to SAP customers in Germany and Austria The extent of the usage of the software package „SAP Enhancement Package 1 for SAP Solution Manager 7. You are not allowed to use the following Enterprise Edition functions: n Business Process Change Analyzer n Quality Gate Management n Custom Development Management Cockpit Der folgende Hinweis betrifft NUR SAP Kunden in Deutschland und Österreich Die Nutzungsmöglichkeiten des Softwarepaketes „SAP Enhancement Package 1 for SAP Solution Manager 7. you are allowed to install this software package.0“ depends upon the type of maintenance contract you have signed.

More Information For a complete list of the available SAP Security Guides.com/instguides SAP Components SAP Solution Manager <current release> .0. For a detailed overview of which documentation is relevant for each phase. sizing guide or upgrade guide for Solution Manager. These guides are only relevant for a certain phase of the software life cycle.sap. see the SAP Service Marketplace: http://service. For information due to corrections between support packages see SAP Note 129482. Integration Security topics are relevant for the following phases: n Installation and Upgrade n Configuration n Operation Recommendation Use this guide during all phases.1 Security Guide n Custom Development Management Cockpit This Security Guide is updated in the SAP Service Marketplace at: http://service.0 and SAP Enhancement Package 1 for SAP NetWeaver 7.0. see also SAP Note 1088980. Constraints This document is not in the installation guide. so the security guides for these products also apply to SAP Solution Manager. All support packages based on SAP Enhancement Package 1 (EhP1) for SAP Solution Manager are based on CRM 5. Caution Up to SAP Solution Manager Support Package 17. SAP Solution Manager is based on CRM 5.0 and SAP NetWeaver 7.sap. Refer to the documents described in this note. for each new support package and SAP Enhancement Package (EhP).com/securityguides 12/172 PUBLIC 03/30/2009 . Use the security guides for these products if you use SAP Solution Manager SP17. whereas the security guide provides information that is relevant for all life cycle phases.

and overviews of roles for functions and scenarios. n S-User Authorizations with information on S-users. you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. that is technical consultants. n Network and Communication Security with overviews of communication channels and destinations in your system landscape.1 Target Group of This Guide The target groups of this guide are readers who are already familiar with SAP Solution Manager and configuration procedures in an implementation and/or upgrade project. and information on ICF Framework. and a step by step procedure to use this guide. n User Administration and Authentication with overviews of users and business partners. With the increasing use of distributed systems and the Internet for managing business data. This guide helps you to secure your system landscape. 2. n technology consultants: working with technical processes supported by SAP software during implementation. n Service Provider and Service Provider Customer Specification with information on Service Provider—specific authorizations and security topics. when deciding which settings to make n system administrators: optimizing the system during and after implementation 03/30/2009 PUBLIC 13/172 . negligence. When using a distributed system. It covers the following SAP Solution Manager functions: n Getting Started with information on the integrated functions/modularity concept. the demands on security are also on the rise. n Work Center Navigation with mappings of the work center views onto authorization roles. and their authorization.2 Getting Started 2 Getting Started This guide does not replace the daily operations handbook that we recommend customers to create for their productive operations. and information on Single Sign—On. or attempted manipulation of your system should not result in loss of information or processing time. n Traces and Logs with information on traces and log possibilities. system administrators and/or application consultants. These security requirements also apply to SAP Solution Manager. n Authorizations with a detailed description of critical authorizations for the most relevant RFC connections in your system landscape. User errors. n Background Processes with overviews of background jobs per function.

sap.sap.2 Getting Started SAP Solution Manager Scenarios and Functions n application consultants: mapping a company’s actual business processes to the processes and functions supported by SAP software during implementation. To realize this integrated approach and at the same time allow you the freedom to build and configure according to your company’s needs.com/solutionmanager . upgrade. Tools can be used to realize a process within these phases. processes relating to these scenarios (for instance: Roadmap) and functions that can be used in one or more scenarios (for example. The tools integrate strongly with each other to support seamless document and information flow over the whole life cycle.2 SAP Solution Manager Scenarios and Functions SAP Solution Manager is a tool which supports the entire product life-cycle of your business processes and systems. See: SAP Note 939897 (How to prevent this transfer). the function Document Management can be used in the scenario Implementation and/or the scenario Test Management). 2. More Information If you have insifcient understanding of SAP Solution Manager and its applications.com/instguides SAP Components SAP Solution Manager <current release> and the according application help on the Help Portal http://help. and when deciding which settings to make 2. We differentiate between scenarios (for instance: Implementation/Upgrade of SAP Solutions or Service Desk). see the master guide for SAP Solution Manager in the Service Marketplace http://service. 14/172 PUBLIC 03/30/2009 .3 Integration of Functions The life cycle of a product comprises various phases. A scenario is a group of business process—related functions which support the sequential and logical relationships of processes within the life-cycle of the product. and so on. configuration and SAP template roles are function—related. The configuration of SAP Solution Manager uses this scenario-related approach.2 2. operation. The product life-cycle can be regarded as a set of scenarios. such as implementation. Note Usage data about the functions and scenarios used by the customer is sent to SAP. The work center approach demonstrates this integration. within a system/platform. Configuration and authorizations for integrated functions are based on a modular approach.

you need to make all relevant systems. Infrastructure comprises all entities that are the basis for scenarios. roles of different functions can be assigned to one user.4 Getting Started Links for Additional Components on Service Marketplace Example All delivered template roles for end users contain only authorizations that are relevant for the function they describe.com/instguides SAP Components SAP Solution Manager <current release> . roles for Service Data Control Center.sap. You must know which functions you want to use. databases. see the master guide for SAP Solution Manager http://service.2 2.4 Links for Additional Components on Service Marketplace Your Solution Manager system is the platform for administrative tasks in implementing. and so on. and servers known. Before you can work with a scenario/function in the Solution Manager systems. and your business processes. familiarize yourself with their installation. Prerequisites For a detailed description of scenarios and functions. configuration. The appendix of this guide contains a detailed definition of these terms. Roles for infrastructure include roles for systems. Therefore. Example Roles are structured according to functions in scenarios and infrastructure. This guide refers to all these as infrastructure. The following table gives you an overview of these additional components. Features Additional Components 03/30/2009 PUBLIC 15/172 . Recommendation To ensure a smooth integration of these components. operating and upgrading systems in your system landscape. and operation. 2. roles for solutions. and maintain primary units such as solutions and logical components. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager.

sap.com/job-scheduling Information and Conguration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN) One Transport Order TREX service.sap.com/saptao http://service.sap.sap.com/bi SAP Quality Center by HP http://service.com/solutionmanager SAP Quality Center by HP Information and Conguration Prerequisites Third Party (technical name: SOLMAN_THIRDPARTY_IN) SAP Redwood Job Scheduling service.com/mdm and http://service.sap.com SAP NetWeaver Capabilities Lifecycle Management Application Management System Landscape Directory Software Life-Cycle Manager (SLM) and Functional View Solution Life Cycle Management Software Life Cycle Management http://service.sap.com/solutionmanager Media Information and Configuration Prerequisites TREX (technical name: SOLMAN_TREX_INFO) Library Technical Papers http://help.sap.sap.com/nw70 Information and Conguration Prerequisites SLD (technical name: SOLMAN_SLD_INFORMATI) Information and Conguration Prerequisites Change Control scenario (technical name: SOLMAN_MOPZ_SLM_INFO) Adobe Document Services (ADS) http://service.com/nw2004s SAP TAO Master Data Management (MDM) — MDM Administration Cockpit http://service.4 Getting Started Links for Additional Components on Service Marketplace Component Where in the Service Marketplace? IMG Activities and Other Information Sources System Landscape Directory (SLD) http://service.com/slm http://help.com/adobe Information and Configuration Prerequisites ADS setup (technical name: SOLMAN_ADS_INFO) Information and Conguration Prerequisites BI (technical name: SOLMAN_BI_CLIENT_INF) Business Intelligence (BI) http://service.sap.sap.com/sld or http://sdn.sap.2 2.sap.com/installmdm Used in System Administration Work Center 16/172 PUBLIC 03/30/2009 .sap.

wdf.5 Using SAP Solution Manager as Service Provider As a Service Provider. you provide services to your customers using Solution Manager. 03/30/2009 PUBLIC 17/172 . the RFC connections overview allows you to either see all RFC connections relevant for Solution Manager and its managed systems. interested in all users for Root Cause Analysis.com n for installation information http://service. For example. or local connections. see master guide for SAP Solution Manager http://service. 2.com/instguides Wily Introscope Used in Root Cause http://bis. see the master guide for SAP Solution Manager in the Service Marketplace: http://service.corp:1080/twiki/bin/view/Main/IntroScope Analysis and System Monitoring Work Center More Information For a comprehensive overview and to find out which additional components are relevant for the configuration of your scenarios.6 How to Use This Guide This section tells you how to use this guide most efficiently.com/nwa Used in System Administration Work Center Used in System Administration and System Landscape Management Work Centers Adaptive Controlling (ACC) n for general information http://sdn. These overviews are bundled according to functions and modularity.com/instguides SAP Components SAP Solution Manager <current release> 2. See the section Service Provider and Service Provider Customer Specification. such as starting and stopping an application service: http://help.5 Getting Started Using SAP Solution Manager as Service Provider Component Where in the Service Marketplace? IMG Activities and Other Information Sources SAP NetWeaver Administrator http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .sap.sap. For more information on Service Provider scenarios and definition.sap. as described in section Integration of Functions. the guide includes overviews of topics. such as all connections from SAP Solution Manager to SAP. For completeness.sap.2 2.com/irj/sdn/adaptive n for application help. for instance. or RFC connections. or check certain types of connections. Or if you are.sap. such as technical users. you can see just the Root Cause Analysis subsection in the technical users overview.sap.

For instance. How you use this guide depends largely on your individual needs. you are referred to the document about how to create users and business partners.com/instguides Components SAP Solution Manager <current release> Define which additional components are needed Get to know the concept of integration of functions Create configuration user in Solution Manager system and managed systems see master guide for Solution Manager.sap. if you read the users for Service Desk section. How to sections for critical procedures. http://service. you are referred to the section on how to create roles.2 2. http://service. you would look into each section and especially for your topic. if appropriate.com/instguides Components SAP Solution Manager <current release> see this guide section Integration of Function SAP 3 SAP 4 5 see this section How to Create/Delete Users Created/Used During Configuration in the Managed Systems: in automatic basic settings configuration. Or. if you are interested in System Monitoring using a work center in SAP NetWeaver Business Client. As security topics are closery connected to configuration tasks. where you find the overviews of what you need for System Monitoring.6 Getting Started How to Use This Guide Each section contains. To integrate this information into your configuration procedure. roles for System Monitoring and System Monitoring work center. The following step by step procedure gives you an outline of how to secure your network. if possible. if you are informing yourself about roles for Service Desk. and create roles according to your company’s security requirements.sap. see the sections on technical users for System Monitoring.sap. If you are interested in one function and all related security topics. Procedure Step Description Remarks 1 Define your system landscape see master guide for Solution Manager. use the SAP Reference IMG. http://service. For instance. assign them to users and maintain them. we refer to related sections of the SAP Implementation Reference Guide (IMG) in transaction SPRO.com/instguides Components SAP Solution Manager <current release> SAP 2 Define the scenarios and functions see master guide for Solution you use Manager. the configuration user must only be created in the managed system (for instance SOLMAN_ADMIN) 6 Assign authorizations to the see the section Roles for Basic Configuration in Managed Systems configuration user in the managed system 18/172 PUBLIC 03/30/2009 . according to your system landscape settings.

com/instguides SAP Components SAP Solution Manager <current release> (section Basic Settings) and section Roles for Basic Conguration in Solution Manager Note Involves creation of technical users and so on.sap.sap.2 2. and authorization roles to your end users see section Work Center Navigation 13 14 see section Authorization Concept see section Authorization Roles and Profiles for End Users 15 see section Work Center Navigation 03/30/2009 PUBLIC 19/172 . http://service. 8 9 Check your network and communication security Recommendation see section Network and Communication Security see conguration guide for Solution Manager. http://service.sap.com/instguides Create roles for scenario—specific SAP Components SAP Solution Manager <current release> functions section Scenario—Specic and/or Service Provider—Specic Settings and section How to Create Roles for Scenario—Specic Conguration in Solution Manager Recommendation 10 11 Configure scenario—specific functions for your scenarios use IMG project Note Without an IMG project. 12 Assign work center navigation roles (including work center authorization role SAP_SMWORK_BASIC) to your end users Develop your own authorization concept Develop your own authorization roles per function on basis of SAP—delivered template roles Assign authorization roles to your users using the mapping tables for work center navigation roles.6 Getting Started How to Use This Guide Step Description Remarks 7 Configure basic settings using roles see conguration guide for Solution for basic settings configuration Manager. use transaction SPRO.com/instguides Create an IMG project for the SAP Components SAP Solution Manager <current release> functions and scenarios you want section Scenario—Specic and/or Service Provider—Specic Settings to configure see conguration guide for Solution Manager. http://service.

The same example. see section Links to Additional Components in the Service Marketplace n n n n n System Monitoring (sessions) KPI Reporting and IT Performance Reporting (BI) work center for System Monitoring Service Desk message creation SAP NetWeaver Business Client SOLMAN_ADMIN) 5 Create configuration user in Solution Manager system and managed systems Create configuration user (for instance: managed systems in 6 Assign authorizations to the Assign roles to configuration user: configuration user in the managed n for authorization object S_RFCACL system n SAP_SDCCN_ALL Configure basic settings using roles Use of automatic basic settings configuration via for basic settings configuration SOLMAN_SETUP ( role for configuration user SOLMAN_ADMIN is generated automatically). SLD. from a configuration—relevant perspective. and so on n check SSL settings Create an IMG project for IMG node System Monitoring and Service Desk in transaction SPRO_ADMIN 7 8 9 Create an IMG project for the functions and scenarios you want to configure 20/172 PUBLIC 03/30/2009 . Service Desk for message creation System Landscape Directory. RFC connection from managed system to Solution Manager. Caution This example is a suggestion of how to configure this scenario from a security—relevant perspective. Step Description Remarks 1 2 3 4 Define your system landscape Define which scenarios and functions you use Define which additional components are needed Get to know the concept of integration of functions two productive managed systems. RFC connections from Solution Manager to SAP. is used in the configuration guide. BI client is Solution Manager client System Monitoring and Reporting.6 Getting Started How to Use This Guide Example System Monitoring (including KPI Reporting and IT Performance Reporting) using the work center approach on SAP NetWeaver Business Client.2 2. Includes the setup of Solution Manager and of both managed systems Check your network and communication security n check RFC connections from Solution Manager to managed systems.

2 2. to your end users Develop your own authorization concept Develop your own authorization roles per function on basis of SAP—delivered template roles see created IMG project Assign roles as described: n SAP_SMWORK_SYS_MON n SAP_SMWORK_BASIC 13 14 customer—specific assign copies of roles (for System Monitoring and Service Desk) to your end users. SAP_BW_CCMS_SETUP. to your end users 03/30/2009 PUBLIC 21/172 . and functions assign it to your configuration user. Note For cross‒scenario configuration. SAP_PI_CCMS_SETUP 11 12 Configure scenario—specific functions for your scenarios Assign work center navigation roles. see the IMG activity for additional roles such as: SAP_SM_BI_EXTRACTOR. including work center authorization role (SAP_SMWORK_BASIC).6 Getting Started How to Use This Guide Step Description Remarks 10 Create roles for scenario—specific Create role for IMG project (or use profile SAP_ALL). according to your customer concept: n SAP_SMSY_* n SAP_SM_SOLUTION_* n SAP_OP_DSWP_SM n SAP_SETUP_DSWP_SM n SAP_SM_BI_EXTRACTOR n SAP_BW_CCMS_REPORTING n SAP_SUPPDESK_CREATE 15 Assign authorization roles to your users using the mapping tables for work center navigation roles and authorization roles.

This page is intentionally left blank. .

1 Technical System Landscape SAP Solution Manager is based on AS ABAP and AS Java. see master guide for SAP Solution Manager in the Service Marketplace: http://service. More Information For a detailed view of the overall system architecture of SAP Solution Manager.sap.3 System Landscape 3 System Landscape 3. To use SAP Solution Manager you need SAP GUI. Communication with other systems is via RFC technology and Web Services. 03/30/2009 PUBLIC 23/172 .com/instguides SAP Components SAP Solution Manager <current release>. Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality). .

This page is intentionally left blank. .

Features Communication Channels 03/30/2009 PUBLIC 25/172 . 4. the protocol used for the connection. then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. they can exploit well-known bugs and security holes in network services on the server machines. if users are able to connect to the server LAN (local area network).1 Network Topology Your network infrastructure must protect your system. If users cannot log on to your application or database servers at the operating system or database layer. It needs to support the communication necessary for your business and your needs. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. Additionally. and the type of data transferred. without allowing unauthorized access.2 Communication Channels The table below shows the communication channels used by SAP Solution Manager.4 Network and Communication Security 4 Network and Communication Security This section gives an overview of the communications concept for SAP Solution Manager. including sections on topics related to HTTP connections and RFC connections. Recommendation The security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Solution Manager. 4. The network topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.

4 4. Defect Management Job Scheduling Management Document Management RFC FTP HTTP(S) SOAP over HTTP(S) over HTTP over HTTP over HTTP over HTTP (S) (S) (S) SOAP SOAP SOAP SOAP (S) 4. see section RFC Connections Update route permission table.3 Network and Communication Security Communication Destinations Communication Channel Protocol RFC Type of Data Transferred / Function Solution Manager to OSS Solution Manager to managed systems and back Solution Manager to managed systems within customer network Solution Manager to SAP Service Marketplace Solution Manager Service Desk to/from Third Party Service Desks Solution Manager to/from Quality Center by HP SAP CPS SAP Productivity Pak by RWD AppSight for SAP Client Diagnostics BMC Exchange of problem messages. see section File Transfer Protocol (FTP) Search for notes Problem messages Test requirements (send and receive data).3 Communication Destinations The table below shows an overview of the main communication destinations used by SAP Solution Manager (including its managed systems and SAP Support Portal). retrieval of services for more information. and SMSY or Implementation SOLMAN_SETUP and Distribution 26/172 PUBLIC 03/30/2009 . content: IP addresses. Features RFC Connections from SAP Solution Manager to Managed Systems RFC Destination Name Target Host Name System Number Logon Client Logon User (Password) Use Remarks SM_<SID>CLNT<Client>_LOGIN Man- (ABAP connection) aged System Customerspecic Customerspecific System Transactions Monitoring.

(Integration) Test Management 03/30/2009 PUBLIC 27/172 . transaction SMSY or SOLMAN_SETUP Transaction SMSY or SOLMAN_SETUP SM_<SID>CLNT<Client>_TMW Man- System(ABAP connection) aged Sys.specific tem Systemspecific Log on through a trusted connection.specific tem Systemspecific For instance ALEREMOTE BI-relevant (customerspecific) See IMG scenarios: activity Connect Root Cause Source System Analysis. <SID>CLNT<Client> ManSystemaged Sys. system> Business Process (automatically Operations.4 4. can Implementation be defined by and Distribucustomer via tion. Service transaction Desk (Business SMSY) Partners: see IMG activity: Create Key Users SOLMAN_SUP_BUSPART) System Monitoring and Implementation and Distribution Default user: SMTW<SID of Solution Manager system>(au- SM_<SID>CLNT<Client>_TRUSTEDSystemMan- (ABAP connection) aged Sys. can be dened by customer via transaction SMSY) if BI is Managed system BI.specific tem Systemspecific Creating.3 Network and Communication Security Communication Destinations RFC Destination Name Target Host Name System Number Logon Client Logon User (Password) Use Remarks SM_<SID>CLNT<Client>_READ Man- System(ABAP connection) aged Sys. System (technical name: Monitoring (IT SOLMAN_SET_SOURCE_SY) Performance Reporting). generated.specific tem Systemspecific Default user: SM_<SID of For read access Transaction SMSY for functions or SOLMAN_SETUP Solution such as: System Manager Monitoring. releasing transport requests tomatically generated.

defined by Service Desk. ManSystemaged Sys.specific tem Systemspecific CSMREG. automatically check locked generated. System (technical name: Monitoring (IT SOLMAN_SET_SOURCE_SY) Performance Reporting). see Central Monisection on toring(CEN): technical users n System Monitoring n Business Process Operations Automatically created in transaction RZ21 for Remote System Connection RFC Connection from Managed System to SAP Solution Manager RFC Destination Name Target Host Name System Number Logon User Logon Client (Password) Use How Created SM_<SID>CLNT<Client>_BACK Solution (ABAP connection) Manager System Customerspecific Customerspecific Default user: SMB_<SID Send Service Transaction Desk mesSMSY or of managed sages.specific tem Systemspecific <SID>_RZ20_COLLECT Man- Systemaged Sys. (Integration) Test Management Central Monitoring (CEN): n System Monitoring n Business Process Operations Automatically created in transaction RZ21 for Remote System Connection <SID>_RZ20_<ANALYZE Man- Systemaged Sys.specific <SID>CLNT<Client>DIALOG tem Systemspecific Administrator of managed system (customerspecific) See IMG functions: activity Connect Root Cause Source System Analysis. send SOLMAN_SETUP system> session data. customizcan be ing objects.3 Network and Communication Security Communication Destinations RFC Destination Name Target Host Name System Number Logon Client Logon User (Password) Use BI-relevant Remarks if BI is Managed system BI.4 4. customer via System Monitransaction toring (EarlySMSY) Watch Alert). and Implementation 28/172 PUBLIC 03/30/2009 .

RFC Connections from SAP Solution Manager to SAP RFC Destination Name System LoNum. and then analyzed in Solution Manager. see SAP Note 657306. Early Watch Alert contains data on system health. and System Monitoring. The data is collected automatically in the managed system. For instance. transfer of solution. sent via RFC to the Solution Manager system. Connection. EarlyWatch Alert.gon Logon User ber Client (Password) Target Host Name Use Remarks SAPOSS (ABAP OSS_RFC /H/SAPROUTER/S//sapserv/H/oss001 (CPIC) 01 001 Maintain technical settings in transaction Notes Assistant OSS1 connection) SAP-OSS (ABAP connection) /H/SAPROUTER/S//sapserv/H/oss001 01 001 S-User (Customerspecific) Exchange problem messages with SAP (function: Service Desk). transfer feedback to SAP (function: Delivery of SAP Transaction Services). menu path: product data Edit Global download Settings 03/30/2009 PUBLIC 29/172 . issue data.3 Network and Communication Security Communication Destinations RFC Destination Name Target Host Name System Number Logon User Logon Client (Password) Use How Created and Distribution Note The System Monitoring scenario provides support for functions such as Service Level Reporting. If you want to transfer download data of a service (EarlyWatch Alert and so on) from a managed system into a Solution Manager system. synchronize system data with Support Portal and send data about managed systems. Service SOLUTION_MANAGER.4 4. but your managed system has no RFC connection to the Solution Manager system.

4 4.3

Network and Communication Security Communication Destinations

RFC Destination Name

Target Host Name

System LoNum- gon Logon User ber Client (Password)

Use

Remarks

SAP-OSS-LIST-O01

(ABAP connection)

/H/SAPROUTER/S//sapserv/H/oss001 01 001

S-User (Customerspecific)

Retrieve information about which messages have been changed at SAP (function: Created in Service Desk) transaction SM59 User is a copy of the SAPOSS connection to SDCC_OSS; userSDCC_NEW with default password:
download

Note

SDCC_OSS

(ABAP connection)

Used by the Service Data Control Center to communicate with the SAP Support Portal frontend system; update Service Definitions (functions: System See SAP Note Monitoring for EWA 763561 and Service Plan) Send EarlyWatch Alerts (functions: System Monitoring for EWA and Service Plan)

If SDCCN is used locally, that is Solution Manager is not Master System, SDCC_OSS is created automatically in the managed system;

SAPNET_RFC

(ABAP connection)

A copy of the SAPOSS connection to
SAPNET_RFC

/H/SAPROUTER/S//sapserv/H/oss001 01 001

SAPNET_RTCC

(ABAP connection)

OSS_RFC /H/SAPROUTER/S//sapserv/H/oss001 (CPIC) 01 001

Service Preparation Check (RTCCTOOL), Created (function in SAP automatically by Engagement and RTCCTOOL, copy of Service Delivery) SAPOSS Automatically created, see IMG activity Set Up SAP Connection for Customers

SM_SP_<customer number> /H/SAPROUTER/S//sapserv/H/oss001 01 001

S-User (Customerspecific)

Service Provider functionality

30/172

PUBLIC

03/30/2009

4 4.3

Network and Communication Security Communication Destinations

RFC Destination Name

Target Host Name

System LoNum- gon Logon User ber Client (Password)

Use

Remarks

(technical name:
SOLMAN_VAR_RFC_CUSTO)

Local Connections
Destination Name
BI,

Target Host Name

System Number

Logon User Logon Client (Password)

Use
BI-relevant

Remarks

if BI client is the productive Solution Manager client<SID>CLNT<Client>

For instance
ALEREMOTE

(customerspecific)

functions: Root Cause Analysis; System Monitoring (IT Performance Reporting,
KPI

See IMG activity Connect Source System (technical name:
SOLMAN_SET_SOURCE_SY)

Reporting), (Integration) Test Management
WEBADMIN Jco SMD_RFC

Root Cause Analysis

Role
SAP_SOLMANDIAG_E2E

(prole:
S_SMDIAG_E2E)

automatically assigned to user during conguration
BPM_LOCAL_<Client>

Business SM_BPMO(customerspecic) Process Operations

is created during Business Process Operations setup session, see IMG activity Create Local RFC Destination and User (technical name:
RFC SOLMAN_BPM_RFC_LOCAL)

03/30/2009

PUBLIC

31/172

4 4.3

Network and Communication Security Communication Destinations

CCMSPing RFC Connection
RFC Destination Name Activation Type Logon User (Password) Use (Scenario) Remarks

CCMSPING.<server><SystemNr.> Registered

Server Program (program ccmsping.00)

(customerspecific)
CSMREG

Service Level Reporting with CCMSPING; system availability overview in System Monitoring work center; IT Performance Reporting

User created during configuration of Central Monitoring (CCMS), see IMG activity Information and Conguration Prerequisites for setting up a central monitoring system CEN (technical name:
SOLMAN_INPERF_CCMS)

System Landscape Directory (SLD) RFC Connections
RFC Destination Name Activation Type Use (Scenario) How Created

(Unicode) —> analogue SLD_NUC (Non-Unicode)
SLD_UC SAPSLDAPI

Registered Server program (program: SLD_UC) analogous to
SLD_NUC

General infrastructure using SLD

Automatically created

Registered Server program (program:
SAPSLDAPI_<systemID>)

General infrastructure using SLD

Copy of SLD_UC or SLD_NUC

TREX RFC Connections
RFC Destination Name
TREX_<server> (ABAP

Activation Type

Use (Scenario)

How Created

connection)

Registered Server Program (program
TREXRfcServer_<instance number>)

Service Desk (Solution Database), SAP Engagement and Service Delivery (Issue Management) Document Management (projects)

IMSDEFAULT

Start on explicit host (program:
ims_server_admin.exe)

Transaction SM59; TREX can be administered using the TREX admin tool, see IMG activity Information and Configuration Prerequisites for TREX Setup (technical name: SOLMAN_TREX_INFO)

IMSDEFAULT_REG

Registered Server Program (program:
rfc_sapretrieval)

Internet Graphics Server (IGS) RFC Connection

32/172

PUBLIC

03/30/2009

EarlyWatch Alert Reports. see IMG activities under node Connection to SAP n about connections from Solution Manager to SAP. Service Level Reports. for instance: Root Cause Analysis. The Internet Communication Framework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAP system (server and client). n Reduced technological barriers: The open HTTP standard is used worldwide. see IMG activity Information and Configuration Prerequisites for Connections to SAP (technical name: SOLMAN_VAR_INFORM) 4.4 Internet Communication Framework Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. and SMTP) for communication between systems through the Internet. Communication through the ICF has the following benefits: n Increased security: The HTTPS protocol guarantees secure data transmission at the same level as modern security standards for RFC/SNC communication and other interfaces. which makes it efficient to install and configure. They are based on HTTP protocol.<SID>) All functions that use a graphical display. for security reasons. n Increased flexibility: Using the ICF. see IMG activity Generate RFC Connections to/from Managed Systems (technical name: SOLMAN_GENERATE_RFCS) n about configuring RFC connections from Solution Manager to SAP. HTTPS. the user can open a connection to an SAP system across the Internet from any location. Caution SAP delivers all ICF services inactive. It enables you to use standard protocols (HTTP.4 Network and Communication Security Internet Communication Framework RFC Destination Name GFW_ITS_RFC_DEST Activation Type Use (Scenario) How Created Registered Server program (program: IGS. This gives you a maximum amount of flexibility in responding to varying communication requirements. BI Reporting Transaction SM59 More Information n about configuring RFC connections from Solution Manager to managed systems.4 4. 03/30/2009 PUBLIC 33/172 . The only condition is that your system platform is Internet-compliant. You do not need any additional SAP program libraries.

run program SSF02.sap. The system displays the current version of SAP Cryptolib. see IMG activity Information and Configuration Prerequisites for Maintenance Optimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO). SSL SSL More Information on: Maintenance Optimizer (SLM). Note To check if SAP Cryptolib has been successfully implemented.5 Network and Communication Security Secure Socket Layer (SSL) for HTTP Connections 4. Features To set—up SSL in your system. protects the messages only while in transit. Further Information on SSL Information Source Remarks SAP Note 510007 SAP Note 1000000 SAP Note 1153116 Setting Up SSL on the Web Application Server (Procedure to set up SSL) Web Dynpro ABAP FAQ (General authorization checks for services and application are available over the ICF) Web Dynpro ABAP checklist for creating problem messages (If you create an error message for Web Dynpro ABAP under component BC-WD-ABA. but offers no security for (XML) data in storage.4 4.sa.com/instguides SAP Components SAP Solution Manager <current release> . See SAP Note 1138061. Caution You must set—up SSL for SAP NetWeaver ABAP and Java (for instance: Maintenance Optimizer and SLM). Constraints only provides a secure channel between partners communicating directly in a network. follow the procedure described in SAP Note 510007.5 Secure Socket Layer (SSL) for HTTP Connections Secure Socket Layer (SSL) allows you to create secure connections for HTTP. Set the flag get version and choose execute. See also the installation guide for SAP Solution Manager in the Service Marketplace: http://service.com/nw07 JAVA CRYPTO TOOLKIT SAP Note 938809 SAP Note 810159 Application help for security topics connected to ICF services 34/172 PUBLIC 03/30/2009 . see the checklist in SAP Note) Subsequent installation of SAP help.

03/30/2009 PUBLIC 35/172 . you need to set—up an HTTP Connect Service.sap.6 Network and Communication Security HTTP Connect Service for SAP Support Information Source Remarks service. follow the descriptions in SAP Note 1072324. You need to maintain this connection for on-site and remote support. see SAP Note 795131. More Information on the configuration task involved. You use Recommendation FTP for SAProuter permission table. prior to installation.6 HTTP Connect Service for SAP Support Due to the firewall between customer and SAP systems.com//instguides SAP Components Media Library Installation guides System security for SAP NetWeaver ABAP and Java (Help setting up system security for ABAP and Java) SAP Solution Manager <current release> service.4 4. To do so. see IMG activity Maintain Router Permission Table (technical name: SOLMAN_SAPROUTER). using Secure Socket Shell (SSH). Make this HTTP secure for remote support with HTTPS. 4. We recommend protecting FTP communication with SAPFTP. 4.7 File Transfer Protocol (FTP) FTP is a network protocol used to send data from one computer to another through a network such as the Internet.com/security Literature 4.8 Required TCP/IP Ports The following ports have to be opened up in your firewall.sap. For more information. To receive support from SAP for these technology types. Recommendation Put the SAP Solution Manager system in the same subnet or DMZ of your managed landscape. it is not possible to display pages of BSPs or Web Dynpro applications in SAP Solution Manager using standard service or support connections. adapt your security settings and firewall accordingly. If you manage systems in different subnets.

>00 (50100) 80<instance no.>00 (50200) Outside (or DMZ) Outside (or DMZ) All managed systems (Diagnostics Agent) More Information All managed systems All managed systems Associated managed systems ITS (HTTP) 80<instance no. 36/172 PUBLIC 03/30/2009 .> Outside (or DMZ) Outside (or DMZ) Outside (or DMZ) Diagnostics Server All managed systems (Diagnostics Agent) All managed systems (Diagnostics Agent) All managed systems (Introscope Agent) Diagnostics Server Diagnostics Server Diagnostics Server Diagnostics Server Diagnostics Server Diagnostics Server Diagnostics Server ITS (HTTP) Introscope Manager (HTTP) IGS (HTTP) (8000) Default: (40180) 8081 4<instance no.>04 (50204) on the current list of ports used by SAP.sap.> (8000) J2EE engine (P4) 5<instance no.>04 J2EE engine (P4) (50104) 81<instance no.4 4.>80 5<instance no.com/security Infrastructure Security TCP/IP Ports Used by SAP Applications .> (8101) Message Server (HTTP) Note: not 36XX) Introscope Enterprise Manager (TCP/IP) Default: 6001 Ports for Communication with Managed Systems Established Connection From Host/Source Host To Hosts/Destination Hosts Service on Destination Hosts (Protocol) J2EE engine (HTTP) Format (example) 5<instance no. in the SAP Service Marketplace: service.8 Network and Communication Security Required TCP/IP Ports Features Ports for Communication to SAP Solution Manager Established Connection To Host/Destination From Hosts/Source Host Host Service on Destination Host (Protocol) J2EE engine (HTTP) Format (example) 5<instance no.

see its guide in the Service Marketplace: http://service. in particular the SAP NetWeaver ABAP.1 User Management Tools User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver ABAP. and password policies. user types. also apply to SAP Solution Manager. the User Management Engine (UME) of the Java stack is to be configured against the ABAP stack. 5.0) 03/30/2009 PUBLIC 37/172 . Third—party users are always created manually. As the mechanisms provided by the SAP NetWeaver AS Java only apply for Diagnostics. User overviews are classified according to whether they are created in the Solution Manager system or in the managed system. the user management and authentication mechanisms provided by SAP NetWeaver Java are also used.5 User Administration and Authentication 5 User Administration and Authentication The SAP Solution Manager uses the user management and authentication mechanisms provided by the SAP NetWeaver platform. If you use Root Cause Analysis.sap. and Java tools (ABAP: SU01 and Java: UME). Features Tools Overview Object Recommended Tool Remarks Users transaction SU01 User Management in the ABAP system(s) Caution For password security information. as described in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide. As SAP Solution Manager is based on SAP NetWeaver ABAP and Java. so the security recommendations and guidelines for user administration and authentication.com/diagnostics . We also provide a list of the standard users required to operate the Solution Manager. Technical users are usually created automatically. see SAP Note 862989 (NW ABAP 7.

2 Secure Storage The secure storage stores encoded data. More Information SAP Note 816861 and SAP Note 1027439. SAP Portal connection. and so on. Some users have already been created during the installation process.5 5. The overviews are structured by main functions/scenarios. you can integrate PFCG roles as groups in SAP NetWeaver Java. to manage J2EE security roles. To integrate the Java-based authorizations supplied by J2EE security roles and UME roles with PFCG roles. Some users are relevant for more than one scenario and are therefore mentioned more than once.2 User Administration and Authentication Secure Storage Object PFCG Recommended Tool Remarks Note roles transaction PFCG User Comparison feature was corrected. see IMG activity: Convert UME (technical name: SOLMAN_CHANGE_UME) 5. see SAP Note 1272331 security UME and the Visual roles and UME Administrator roles (only applies to Java application. such as: 38/172 PUBLIC 03/30/2009 . for instance access data of systems. More Information on UME conversion. Integration Recommendation You should use transaction SU01 to create users. SLD.3 Technical/Dialog Users Created/Used in Solution Manager System Configuration The users in the following tables are created automatically or manually during configuration. Caution If one or more of these values change. 5. The system uses the installation number of the system and the system ID when creating the key for the secure storage. for instance Root Cause Analysis) J2EE Administration console to manage UME roles. and transaction PFCG to assign users to roles. and administration tool of the Java Application Server. the system can no longer read the data in the secure storage. Both of these tools are part of SAP NetWeaver Java.

Automatic creation of users is only possible if you use Java UME with ABAP. via transaction SOLMAN_SETUP.5 5. see section Roles for Basic Configuration in Solution Manager 03/30/2009 PUBLIC 39/172 .3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration SAPJSF J2EE_ADMIN J2EE_GUEST DDIC ADSUSER ADS_AGENT SLDDSUSER SLDAPIUSER n n n n n n n n Note If your security policy does not permit the automatic creation of generic users. assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages n S_BDLSM_READ SDCCN data (customer-specific) for SDCCN Service Desk message from managed systems n S_KWHELP for Help Center. TMW. If you use the Central User Administration (CUA). document display see section: RFC Connections READ. you need to create them manually. Features User for RFC Connection BACK (Infrastructure) User (Password) SMB_<managed system ID> Type Remarks System User Technical user “Back User”. BACK Note The role ZSOLMAN_BACK is created from a template during automatic basic settings configuration. you need to create them manually. Users for General Infrastructure Set-up User (Password) SOLMAN_ADMIN (customer-specific) Type Remarks Dialog User User created for basic settings configuration by automatic basic configuration.

automatically created when CTC runtime is activated.3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration User (Password) SOLMAN_BTC (customer-specific) Type Remarks System User User created for background processing by automatic basic configuration. automatically assigned profile for role SAP_SMSY_CTC_RT Technical user for CTC templates. if the CTC runtime of the Solution Manager J2EE stack is called for the initial automatic basic configuration of Solution Manager. assigned role: SAP_BC_JSF_COMMUNICATION_RO 40/172 PUBLIC 03/30/2009 . modify and delete CIM instances of the Landscape Description and Name Reservation subset (includes the LcrUser role). responsible for communication from CTC to Solution Manager. The S-user for the SAP Support Portal must be requested via http://service. automatically created when CTC runtime is activated.com. Update Service Definitions. retrieve information about which messages have been changed at SAP. see section Roles for Basic Configuration in Solution Manager User to exchange problem messages with SAP.sap. Users for J2EE Integration (ABAP — UME) User (Password) SAPJSF Type Remarks (customer-specific) Communication User Technical user for SAP Java Security Framework (display) .5 5. assigned role SAP_SLD_CONFIGURATOR corresponds to J2EE security role LcrInstanceWriterLD. see section S-User Authorizations Notes Assistant. allows you to create. User is responsible for communication from Solution Manager to CTC. via transaction SOLMAN_SETUP. automatically assigned role in the related ABAP stack: SAP_J2EE_ADMIN User for execution of CTC templates SM2CTC<Solution Manager ID><client> System User (automatically created) DDIC SLDDSUSER (customer-specific) SLDAPIUSER (customer-specific) Dialog User Dialog User Data Supplier user User for SLD connectivity. Service Preparation Check (RTCCTOOL) S-User (customer-specific) User in SAP Support Portal OSS_RFC (CPIC) CTC2SM_<CTC runtime system ID> System User (automatically created) Technical user for CTC runtime.

SAP_BC_AI_LANDSCAPE_DB_RFC J2EE_GUEST User for J2EE display rights.5 5. role SAP_SOLMANDIAG_E2E (profile S_SMDIAG_E2E) automatically assigned during configuration of Root Cause Analysis 03/30/2009 PUBLIC 41/172 .3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration User (Password) J2EE_ADMIN Type Remarks (customer-specific) (customer-specific) Dialog User Dialog User User for J2EE administration. assigned roles: SAP_J2EE_ADMIN. authorized to call managed system. automatically assigned during creation Technical user for basic authentication ADS Technical user for communication between ABAP stack and J2EE stack on which the ADS runs. for instance for displaying HTML Learning Maps Users for Business Process Operations and Job Scheduling Management Scenarios/Functions User (Password) SM_BPMO Type Remarks (customer-specific) Service User Communication User Technical user. assigned role: SAP_SM_BPMO_COMP Technical user for data collection (to get CCMS alerts) for Business Process Operations. assigned role: SAP_J2EE_GUEST User for Graphical Display User (Password) SOLARSERVICE (customer-specific) Type Remarks Service User Technical user for accessing HTTP services in the Solution Manager without login. set in WEBADMIN JCo RFC destination. assigned roles: n SAP_BC_FP_ICF (if double stack: AS ABAP and AS Java (with ADS) n SAP_BC_FPADS_ICF (if AS ABAP and AS Java on separate systems) CSMREG (customer-specific) ADSUSER (customer-specific) ADS_AGENT Service User Service User (customer-specific) Users for Root Cause Analysis Scenario/Function User (Password) SMD_RFC Type Remarks Communication User Technical user. for communication between ABAP stack and Java stack. assigned role: SAP_SOL_LEARNING_MAP_DIS. created in transaction RZ10. assigned role SAP_BC_CSMREG.

TMW. Note Technical user “Back User”. needed by agent to connect to Root Cause Analysis. TMW. see section: S-User Authorizations 42/172 PUBLIC 03/30/2009 . BACK S-User (customer-specific) User in SAP Support Portal Technical user to exchange problem messages with SAP. in case BI is implemented in another Solution Manager client Communication User Technical user. If you change the password of this user in User Management (transaction SU01). the S-user for the SAP Support Portal must be requested via http://service. you need to change the password for this user in its RFC destination in the Solution Manager system as well.3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration User (Password) SMD_BI_RFC Type Remarks Communication User Technical user for BI communication.sap. See section RFC Connections READ. automatically assigned role: SAP_J2EE_ADMIN Dialog User User created for SAP Engagement and Service Delivery by automatic basic settings configuration. get information about which messages have been changed at SAP. you can alter user and password settings for this user. BACK When you generate RFC connections using transaction SMSY.5 5. before generating the RFC connection. the system automatically generates a user password. via transaction SOLMAN_SETUP.com. see section User SAPSUPPORT SMD_ADMIN SAPSUPPORT Users for Service Desk Scenario/Function User (Password) SMB_<managed system ID> Type Remarks System User Caution During automatic basic configuration. assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages n S_BDLSM_READ SDCCN data (customer-specific) for SDCCN Service Desk message from managed systems n S_KWHELP for Help Center. document display see section: RFC Connections READ.

the S-user for the SAP Support Portal must be requested via http://service. the S-user for the SAP Support Portal must be requested via http://service.com. via transaction SOLMAN_SETUP. see section: S-User Authorizations Technical user for basic authentication in ADS Technical user for communication between ABAP stack and J2EE stack on which the ADS runs.sap. get information about which messages have been changed at SAP. see section User SAPSUPPORT ADSUSER ADS_AGENT Service User Service User SAPSUPPORT Dialog User Users for System Administration and System Monitoring Scenario/Function User (Password) Type Remarks ALEREMOTE Service User with profile S_BI-WX_RFC. get information about which messages have been changed at SAP.com. for configuration of general settings for BI reporting. in case BI is implemented in another logical system SAP_SM_ALEREMOTE 03/30/2009 PUBLIC 43/172 .3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration Users for Change Control (Maintenance Optimizer) Scenario/Function User (Password) Type Remarks S-User (customer-specific) User in SAP Support Portal Technical user to exchange problem messages with SAP.sap. (see SAP Note 150315). see section S-User Authorizations Users for SAP Engagement and Service Delivery Scenario User (Password) Type Remarks S-User (customer-specific) User in SAP Support Portal Technical user to exchange problem messages with SAP.5 5. assigned roles: n SAP_BC_FP_ICF (if double stack: AS ABAP and AS Java (with ADS) n SAP_BC_FPADS_ICF (if AS ABAP and AS Java on separate systems) User created for Service Delivery by automatic basic configuration.

TMW. assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages n S_BDLSM_READ SDCCN data (customer-specific) for SDCCN Service Desk message from managed systems n S_KWHELP for Help Center. Role SAP_BC_CSMREG automatically assigned during creation OS-Level OS—Level Administrator User User to set up CCMS agents Users for Third—Party Integration User (Password) Type Remarks SAP_QC_INTERFACE Quality Center integration user (Test Management) Quality Center integration user (Test Management): for instance QCALIAS Communication User User for Web Service. If you change the password of this user in User Management (transaction SU01). assigned role SAP_QC_WSDL_ACCESS Quality Center integration user System User (Defect Management): for instance DEFECTMAN User for data exchange. See section RFC Connections READ. the system automatically generates a user password. created in transaction RZ21 Technical Infrastructure Configure Central System Create User CSMREG . before generating the RFC connection. BACK When you generate RFC connections using transaction SMSY. TMW. you need to change the password for this user in its RFC destination in the Solution Manager system as well.3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration User (Password) SMB_<managed system ID> Type Remarks System User Caution During automatic basic configuration. BACK CSMREG (customer-specific) Communication User Technical user for System Monitoring and BI IT Performance Reporting (Central CCMS) data collection (to get CCMS alerts). Note Technical user “Back User”. assigned role SAP_SUPPDESK_INTERFACE 44/172 PUBLIC 03/30/2009 .5 5. you can alter user and password settings for this user. document display see section: RFC Connections READ. assigned role System User User for WSDL access.

assigned roles SAP_SUPPDESK_ADMIN and SAP_SUPPDESK_INTERFACE Users for Implementation and Upgrade (Help Center Function) User (Password) SMB_<managed system ID> Type Remarks System User Caution During automatic basic configuration.3 User Administration and Authentication Technical/Dialog Users Created/Used in Solution Manager System Configuration User (Password) Type Remarks CPS integration user: for instance CPSCOMM Communication User Technical user for communication between SAP CPS and SAP Solution Manager for Job Scheduling Management.sap. Note Technical user “Back User”. BACK More Information n on automated basic settings configuration of SAP Solution Manager. document display see section: RFC Connections READ. see configuration guide for SAP Solution Manager in the Service Marketplace: http://service. assigned roles SAP_SM_REDWOOD_COMMUNICATION and SAP_BC_REDWOOD_COMM_EXT_SDL BMC integration user External Service Desk integration user Communication User User for Web Service. TMW. assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages n S_BDLSM_READ SDCCN data (customer-specific) for SDCCN Service Desk message from managed systems n S_KWHELP for Help Center.5 5. you need to change the password for this user in its RFC destination in the Solution Manager system as well. before generating the RFC connection. you can alter user and password settings for this user. BACK When you generate RFC connections using transaction SMSY. See section RFC Connections READ. TMW. assigned role SAP_APPSIGHT_INTERFACE Communication User User for data exchange.com/instguides SAP Components SAP Solution Manager <current release> 03/30/2009 PUBLIC 45/172 . If you change the password of this user in User Management (transaction SU01). the system automatically generates a user password.

10) in User Type Remarks Caution During automatic basic configuration. see installation guide for SAP Solution Manager in the Service Marketplace: http://service. TMW. during configuration. Features Users for RFC connections READ and TMW (Infrastructure) role (release > = SAP NW ABAP and Java 6. you can alter user and password settings for this user System User During automatic basic settings configuration role ZSOLMAN_READ is created from template. see section RFC Connections READ. you need to create them manually. 46/172 PUBLIC 03/30/2009 . “READ User”.sap. BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW). and automatic business partner generation n S_AI_SMD_E2E for Root Cause Analysis Note When you generate RFC connections using transaction SMSY. automatically or manually. for read access. automatically generated. Some users are relevant for more than one scenario and are therefore mentioned more than once.com/instguides SAP Components SAP Solution Manager <current release> 5. Note Technical user.4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems n users created during installation. the system automatically generates a user password.5 5.10) and profile (release < SAP managed systems User SM_<SID of Solution Manager system> NW ABAP and Java 6. you need to create them manually.4 Technical/Dialog Users Created/Used During Configuration in the Managed Systems The users in the following tables are created. If you use the Central User Administration (CUA). If you change the password of this user in User Management (transaction SU01). Note If your security policy does not permit the automatic creation of generic users. Automatic creation of users is only possible if you use Java UME with ABAP. you need to change the password for this user in the RFC destination in the Solution Manager system as well. The overviews are structured according to main functions/scenarios.

manually. and are therefore not part of the Change Request Management transport control and distribution process. for instance starting batch jobs for Solution Documentation Assistant. See section RFC Connections READ. TMW. You can also use this profile solely for this purpose. BACK Technical User “TMW User”. In this case. from Change Request Management. or imported locally cannot be identified with a change request by Change Request Management.4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User User Type Remarks before generating the RFC connection.see section RFC Connections READ. Requests that are created in this way are known to Change Request Management. you have to assign the profile to the technical user.5 5. automatically generated. so we recommend that no users (apart from administrators) are authorized to create transport requests or tasks in Change Request Management-controlled clients. which means that Change Request Management can control their distribution within the landscape. TMW. released. System User This authorization allows batch processing in the managing system for managed systems. BACK The most important task of this technical user is to create and release transport requests and tasks. User for CTC Configuration 03/30/2009 PUBLIC 47/172 . Assigned roles/profiles. remotely. Note SMTM<SID of Solution Manager system> Recommendation Requests that are created. n S_TMW_CREATE for creating and releasing transport requests in development systems and setting the project status switch for creating transport requests n S_TMW_IMPORT for importing transport requests into test systems (empty) n S_SM_EXECUTE for critical execution authorizations in managed systems.

automatically assigned role in related ABAP stack: SAP_J2EE_ADMIN User for CTC Runtime Activation User (Password) SM2CTC<SID of Solution Manager><Client> (Automatically Type Remarks System User Created) Technical user for CTC templates.10) and profile (release < SAP NW ABAP and Java 6. see the configuration guide in the Service Marketplace: http://service.5 5. if the CTC runtime is called for setting up business system connectivity (see section Roles for Business Connectivity Configuration).4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User (Password) SM2CTC<SID of Solution Manager><Client> (Automatically Type Remarks System User Created) Technical user for CTC templates. responsible for communication from Solution Manager to CTC. They are referred to in the following table as system A (for instance ERP) and system B (for instance CRM).com/instguides SAP Components SAP Solution Manager <current release> . automatically assigned role in related ABAP stack: SAP_J2EE_ADMIN Users for Configuration of Business System Connections During the configuration of business system connections.sap. if the CTC runtime is called for setting up business system connectivity (see section Roles for Business Connectivity Configuration). automatically created when CTC runtime is activated.10) in managed systems 48/172 PUBLIC 03/30/2009 . responsible for communication from Solution Manager to CTC. two technical users for the systems are created. User <product name of system A>2<product name of system B> User Type Remarks example: ERP2CRM System User Technical user to connect system A (ERP) with system B (CRM) assigned default profile SAP_ALL Technical user to connect system B (for instance CRM) with system A (for instance ERP) assigned default profile SAP_ALL <product name of system B>2<product name of system A> example: CRM2ERP Note System User For more information on the configuration of business system connections. Users for System Administration and System Monitoring Scenario/Function role (release >= SAP NW ABAP and Java 6. automatically created when CTC runtime is activated.

TMW. automatically assigned profile S_BI-WX_RFC during connection of source system BI ALEREMOTE (Customer-Specific) OS-Level Administrator OS-Level User User to set up CCMS agents Users for Change Request Management Scenario/Function role (release > Scenario/Function= SAP NW ABAP and Java 6.10) in managed systems NW ABAP 03/30/2009 PUBLIC 49/172 . See section RFC Connections READ. automatically generated. for read access.5 5. the system automatically generates a user password.10) and profile (release < SAP and Java 6. and automatic business partner generation n S_AI_SMD_E2E for Root Cause Analysis Communication User Technical user for data collection (to get CCMS alerts).4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User SM_<SID of Solution Manager system> User Type Remarks Caution During automatic basic configuration. see section RFC Connections READ. you can alter user and password settings for this user before generating the RFC connection. “READ User”. you need to change the password for this user in the RFC destination in the Solution Manager system as well. Role SAP_BC_CSMREG automatically assigned during creation System User communication user. TMW. If you change the password of this user in User Management (transaction SU01). Note When you generate RFC connections using transaction SMSY. BACK CSMREG (Customer-Specific) System User Technical user. created in transaction RZ21 Technical Infrastructure Configure Central System Create User CSMREG . BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW).

BACK System User Technical user. BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW) and automatic business partner generation n S_AI_SMD_E2E for Root Cause Analysis Technical User “TMW User”. System User 50/172 PUBLIC 03/30/2009 . the system automatically generates a user password. Note When you generate RFC connections using transaction SMSY. and setting the project status switch for creating transport requests n S_TMW_IMPORT for importing transport requests into test systems (empty) n S_SM_EXECUTE for critical execution authorizations in managed systems. you can alter user and password settings for this user before generating the RFC connection. which means that Change Request Management can control the distribution of these requests within the landscape. If you change the password of this user in User Management (transaction SU01). you need to change the password for this user in the RFC destination in the Solution Manager system as well. released.4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User SM_<SID of Solution Manager system> User Type Remarks Caution During automatic basic configuration. and are therefore not part of the Change Request Management transport control and distribution process. Assigned roles/profiles. n S_TMW_CREATE for creating and releasing transport requests in development systems. See section RFC Connections READ. remotely. from Change Request Management. for read access. TMW.see section RFC Connections READ. so we recommend that no users (apart from administrators) are authorized to create transport requests or tasks in Change Request Management-controlled clients. BACK The most important task of this technical user is to create and release transport requests and tasks. see section RFC Connections READ. for instance starting batch jobs for Solution Documentation Assistant. automatically generated. TMW. SMTM<SID of Solution Manager system> Recommendation Requests that are created.5 5. Requests that are created in this way are known to Change Request Management. TMW. or imported locally cannot be identified with a change request by Change Request Management. automatically generated. “READ User”.

See section RFC Connections READ. for read access. BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW) and automatic business partner generation n S_AI_SMD_E2Efor Root Cause Analysis Users for Root Cause Analysis Scenario/Function role (release >= SAP NW ABAP and Java 6.4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User User Type Remarks Note This authorization allows batch processing in the managing system for managed systems. you have to assign the profile to the technical user. In this case.10) in 03/30/2009 PUBLIC 51/172 . TMW. Note When you generate RFC connections using transaction SMSY. you need to change the password for this user in the RFC destination in the Solution Manager system as well. You can also use this profile solely for this purpose.10) and profile (release < SAP managed systems User SM_<SID of Solution Manager system> NW ABAP and Java 6. the system automatically generates a user password. you can alter user and password settings for this user before generating the RFC connection.10) in User Type Remarks Caution During automatic basic configuration. TMW.5 5. automatically generated.10) and profile (release < SAP managed systems NW ABAP and Java 6. see section RFC Connections READ. BACK System User Technical user. manually. If you change the password of this user in User Management (transaction SU01). “READ User”. Users for Service Desk Scenario/Function role (release >= SAP NW ABAP and Java 6.

10) in managed systems User SM_<SID of Solution Manager system> User Type Remarks Caution During automatic basic configuration. BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW) and automatic business partner generation n S_AI_SMD_E2E for Root Cause Analysis 52/172 PUBLIC 03/30/2009 . TMW. TMW.4 User Administration and Authentication Technical/Dialog Users Created/Used During Configuration in the Managed Systems User SM_<SID of Solution Manager system> User Type Remarks Caution During automatic basic configuration. for read access. “READ User”. TMW. you need to change the password for this user in the RFC destination in the Solution Manager system as well. you need to change the password System User for this user in the RFC destination Technical user. If you change the password of this user in User Management (transaction SU01). see section RFC Connections READ. you can alter user and password settings for this user before generating the RFC connection. If you change the password of this user in User Management (transaction SU01).5 5. BACK assigned roles/profiles: n S_CUS_CMP for data read access n S_CSMREG for central system repository data n S_BDLSM_READ for SDCCN data n S_USER_GRP for user group display of all users for Licence Administration Workbench (LAW) and automatic business partner generation n S_AI_SMD_E2E for Root Cause Analysis communication user for Wily Host. BACK SMDAGENT_<SID> System User Communication User Technical user. see section RFC Connections READ. automatically generated. “READ User”. for read access to Business Process Monitoring. the system automatically generates a user password.10) and profile (release < SAP NW ABAP and Java 6. See section RFC Connections READ. Note When you generate RFC connections using transaction SMSY. the system automatically generates a user password. assigned role SAP_IS_MONITORING and/or profile ABAP S_IS_MONITOR Users for Business Process Operations and Job Scheduling Management Scenarios/Functions role (release >= SAP NW ABAP and Java 6. automatically generated.

sap.5 User Administration and Authentication User SAPSUPPORT User User Type Remarks in the Solution Manager system as well. role SAP_BC_CSMREG automatically assigned during creation.5 User SAPSUPPORT SAP delivers roles for users that are needed in customer Solution Manager systems for efficient support. see installation guide for SAP Solution Manager in the Service Marketplace: http://service. See section RFC Connections READ.com/instguides SAP Components SAP Solution Manager <current release> 5. Note When you generate RFC connections using transaction SMSY.5 5. This user is required for: n Root Cause Analysis n SAP Engagement and Service Delivery 03/30/2009 PUBLIC 53/172 . Communication User Technical user for communication between SAP CPS and managed system see IMG activity Create Communication User (technical name: SOLMAN_REDWOOD_COMM) CPS user (for instance CPSCOMM) More Information about users created during installation. TMW. created in transaction RZ10. you can alter user and password settings for this user before generating the RFC connection. BACK CSMREG (Customer-Specific) Communication User Technical user for data collection (to get CCMS alerts.

Features You create the dialog user SAPSUPPORT in your Solution Manager and managed systems. You can log on to the managed systems with Single Sign—On (SSO). see section Roles for SAP Engagement and Service Delivery. reducing administrative effort. using the SAPSUPPORT user. If your security policies do not allow the use of generic users. You assign the following roles to this user during configuration: n in the SAP Solution Manager system l SAP_SOLMAN_ONSITE_ALL_COMP (containing all individual roles needed to check and perform services) : Note To provide authorizations which meet your company’s requirements for restricted or full access. and assigns the relevant roles.6 Business Partners Created During Configuration When you configure the SAP Solution Manager using the automatic basic settings configuration. u including SAP_RCA_EXE (containing execution authorization for Root Cause Analysis) u including SAP_DBA_DISP (containing display authorization for DBA Cockpit) u including SAP_SMWORK_BASIC (containing basic authorization for work centers.6 User Administration and Authentication Business Partners Created During Configuration This section gives an overview of the user. SAP delivers two composite roles. see Work Center Navigation Roles) u including SAP_SMWORK_DIAG (work center navigation role) n in the managed systems l SAP_RCA_SAT_DISP (containing execution authorization for Root Cause Analysis) n in the BI client l SAP_BI_E2E (containing execution authorization for Root Cause Analysis) 5. additional business partners for SAP Engagement and Service Delivery are created. and to check and perform services in your system. The system creates the SAPSUPPORT user automatically. during automatic configuration of basic settings. u including SAP_RCA_DISP (containing minimal authorization for Root Cause Analysis) Recommendation Do not copy roles for Root Cause Analysis into your own name space. See section Roles for Root Cause Analysis.5 5. you must create the user SAPSUPPORT manually. during basic settings configuration. 54/172 PUBLIC 03/30/2009 . It is used by SAP Support for display access to Root Cause Analysis-related transactions. or change profiles.

If you are on a lower Support Package Level than SAP Solution Manager 7. More Information on how to configure the basic settings. see Configuration Guide SAP Solution Manager in the Service Marketplace: http://service.5 5. Features The business partners are created as follows: First Name Last Name Remarks SAP SAP SAP SAP SAP Customer Customer Customer Customer Customer Note Technical Quality Manager Support Advisor Engagement Architect Back Office Consulting Program Management Business Process Operations Custom Development Technical Operations Partner Automatically assigned ID TQM or SAPTQM Automatically assigned ID SAPSUPAD Automatically assigned ID SAPENAR Automatically assigned ID SAPBACKO Automatically assigned ID SAPCON Automatically assigned ID CUSTPM Automatically assigned ID CUSTBPM Automatically assigned ID CUSTCD Automatically assigned ID CUSTTO Automatically assigned ID CUSTPAR An additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT as soon as this user is created during the automatic basic settings configuration (see section:User SAPSUPPORT). you need to create these business partners manually. 5.7 How to Create Users and Business Partners for End Users The following lists give an overview of functions that require users in Solution Manager system and managed systems.7 User Administration and Authentication How to Create Users and Business Partners for End Users Note The creation of these users is not part of the SAP Reference IMG (transaction SPRO) for SAP Solution Manager. and functions that require business partner users in the Solution Manager system: Functions Requiring End Users for SAP Solution Manager and Managed Systems 03/30/2009 PUBLIC 55/172 .0 EhP1.com/instguides SAP Components SAP Solution Manager <current release> .sap.

7 User Administration and Authentication How to Create Users and Business Partners for End Users n Implementation: if you use Implementation and subsequently Customizing Distribution to centrally configure your managed systems. n Root Cause Analyses: user SAPSUPPORT is automatically created in the Solution Manager system as well as the managed systems during Root Cause Analysis configuration. Address Data n First Name and Last Name l Function: Digital Signature n E-Mail l Function: Business Process Operations l Function: Issue Management l Function: Service Desk l Function: E-Learning Management The user can receive and send e-mails. This e-mail address can be any address. n Change Request Management n Job Scheduling Management n Change Control: functionality Maintenance Optimizer Procedure Create Users Using Transaction SU01 This paragraph tells you which area in User Management (transaction SU01) needs attention. Enter your user and choose change. 2. which always require users in both systems. Enter the required data and save. n Service Desk: for Key User (end user). see example underneath. Test Management uses Trusted RFC connections. n Service Desk: for Key User (end users) and processors of service desk messages. Functions Requiring Business Partners Based on Users in SAP Solution Manager n Delivery of SAP Services: if you use Issue Management. Implementation and Customizing Distribution use Trusted RFC connections. Note Business Process Operations: for use of auto—reaction methods. as long as it is known to the mail server.5 5. 56/172 PUBLIC 03/30/2009 . n Change Request Management: if the users in the Change Request Management process log on to the managed systems via Solution Manager. n Test Management: if testers have to test in managed systems. 1. and why. see example below n System Administration and System Monitoring (and Business Process Operations): if the system administrator needs to check transactions in managed systems via SAP Solution Manager trusted RFC connection. which always require users in both systems.

Create users for all end users in all three systems. 3. n SAP logon tickets: The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. You have to create all end users known to Solution Manager as Business Partners. also apply to the SAP Solution Manager. in the Solution Manager system and the managed systems. Create business partners for end users. Choose User list -> Add system. The system opens several sessions on the server. as described in the SAP NetWeaver Security Guide (SAP Library). and the system then prompts the user to re-enter the logon data. as described above. 4. The supported mechanisms are: n Secure Network Communications (SNC) : SNC authenticates users and provides an SSO environment when using the SAP GUI for Windows or Remote Function Calls. 5. Select users. 2. The security recommendations and guidelines for user administration and authentication. Select a system from which you want to create business partners. Users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. in the Solution Manager system. three systems in total. Note If you change e-mail addresses for users. a second logon.8 User Administration and Authentication Integration into Single Sign-On Environments (SSO) Create Business Partner Using Transaction BP_GEN 1. you need to update your business partners in transaction BP_GEN. see IMG activity Create Key User (technical name: SOLMAN_SUP_BUSPART) 5.8 Integration into Single Sign-On Environments (SSO) The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver. The system landscape consists of SAP Solution Manager and two managed systems. Choose Edit -> Create Business Partner. Example You want to create end users for Service Desk functionality. in this case an HTML Control). for example. Confirm your entries. The 03/30/2009 PUBLIC 57/172 .5 5. as described above. that require. 2. The user uses SAP GUI to log on to a system. More Information on how to create business partners. 1. It uses various front ends (SAP GUI and Web browser. the application uses the SAP GUI for HTML Control to call another BSP application.

see Service Marketplace:http://service. 58/172 PUBLIC 03/30/2009 . see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Guide.8 User Administration and Authentication Integration into Single Sign-On Environments (SSO) ticket can then be submitted to the system as an authentication token.5 5.sap. n on how to use Single Sign-On.com/sso-smp. each time the users access documents via URLs from within the same Browser session. he can access the system directly after the system has checked the logon ticket. The user does not need to enter a user ID or password for authentication. More Information n on SNC.

you generate the authorization profile. A role is an authorization object container. n Roles for configuration of business system connections Using SAP Solution Manager as managing platform. Authorization objects are in authorization roles. you maintain the fields of an authorization object.6 Authorizations 6 Authorizations This section contains: n Authorization concept This section explains the SAP authorization concept. are basic to the concept of SAP Solution Manager as managing platform and its managed systems. n “How To” This section contains procedures for authorization and user management. These connections are created automatically. READ. profile and so on. SAP delivers template roles for end users to be able to perform tasks in an application. and its main terms. This section gives you an overview of roles for these functions. For instance. This section gives you an overview of roles needed for CTC runtime activation and configuration tracks. you define which function groups in authorization object S_RFC (for instance function group SCCA) are to be executable by the user. like TRUSTED. This section explains related critical authorizations in more detail. such as role.1 Authorization Concept Authorizations are defined by authorization objects. It includes such critical transactions as SU01 and PFCG. This section gives an overview of pre-defined template roles for the basic settings configuration and how to create your own roles for scenario—specific configuration. 6. This profile is then 03/30/2009 PUBLIC 59/172 . n Roles for configuration Configuration is performed by a technical consultant or system administrator who is familiar with system administration. When you maintain authorizations. with users and profiles. n RFC connections and critical authorizations RFC connections. TMW and BACK. you can configure most important business system connections. When you have maintained authorizations in authorization objects. n Roles and profiles for end users Users who perform tasks in an application are referred to as end users. for instance authorization to remotely execute function modules is in authorization object S_RFC.

This is a trusting-trusted RFC connection. The SAP Solution Manager server Trusting System trusts the user administration of the client (managed) Trusted System. Test your roles. Here is what you should consider when designing your authorization concept. 6.1 Trusted RFC Connections In a heterogeneous system landscape with SAP Solution Manager as the managing platform. You generate this RFC connection in the SAP Solution Manager in the transaction SMSY. departments and so on. you must have a clear concept of who is to receive which authorizations. Trusted systems can log on to the Trusting System without password. The managed system needs to be a Trusted System in the SAP Solution Manager. You customize/maintain your roles according to your company’s concept.2 RFC Connections to/from Managed Systems and Critical Authorization Objects 6. the template roles delivered by SAP are only templates. To communicate with each other. because you need to adjust your authorizations over time due to company changes or extended use of Solution Manager functions. How you maintain authorization objects and bundle them depends on your company’s security concept. 7. Use a unique naming convention. the SAP Solution Manager and the managed system need the same user name in their user administration (transaction SU01). You can generate different profiles from one role. Procedure 1. and managed system to Solution Manager system. 2. Identify which functions of Solution Manager scenarios you use. Before you grant authorizations to your end users. 6. Maintain your roles. Trusted RFCs need to be maintained from both sides. 4. depending upon how you maintain the authorization objects in the role. The trusting system controls user-specific data. Identify your roles. Each company has different priorities. you need RFC connections between SAP Solution Manager and the managed systems.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects assigned to the user. and the profile is generated and assigned to the user. As each business requires a different authorization concept. Populate your menu matrix. Create your roles from SAP template roles.2. 5. 3. Solution Manager to managed system.6 6. 60/172 PUBLIC 03/30/2009 . Create a menu matrix according to these functions. and vice versa. Authorizations only function if authorizations are maintained.

deactivate the authorization object in this role after basic settings configuration.2 Authorization Object S_RFCACL The trusting RFC destination has the Current User setting in transaction SM59.2. 2. see SAP Note 555162. The paragraph Troubleshooting. Authorization errors in the use of an RFC destination flagged as a Trusted System cause the following message to be sent: No Authorization to logon as Trusted System (Trusted RC = #). Prerequisites To apply the authorization object. Due to the high potential risk of such an RFC connection. Constraints Every authorization error when using an RFC destination flagged as a Trusted System.6 6. contains the information necessary to correct the error. If your security rules do not allow the use of this authorization object. Features To create the trusted RFC connection you need to have the authorization object S_RFCACL in the Solution Manager and in the managed system for this user. which consists of a number of authorization fields.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects Note Using SAP router between Solution Manager and managed systems may cause problems in some functions. The RABAX contains detailed error information. Return Code 03/30/2009 PUBLIC 61/172 . which allow a trusting trusted relationship between SAP Solution Manager and any managed system. 6. you need full access to transaction PFCG. is a RABAX (ABAP exception). for instance BSP applications. Choose transaction ST22 and the selection period. the authorization object S_RFCACL is not in authorization profile SAP_ALL. The role SAP_S_RFCACL contains the authorization object S_RFCACL. To solve these. in the SAP Solution Manager system and the managed systems. Caution The authorization object is in role SAP_SM_BASIC_SETTINGS for initial basic configuration of Solution Manager (supported by automatic configuration). Choose the entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY. To analyze the error: 1.

or do not use the protected users DDIC or SAP* (see: prole parameter and value: login/no_automatic_user_sapstar = 0) 1 2 3 The user has no authorization containing the authorization object S_RFCACL. This includes: n define all (managed) systems n create logical components n assign managed systems to logical components n set-up your solution design Note For a detailed explanation of system landscape and solution design. Features Data is transferred between SAP Solution Manager and its managed systems by RFC connections: 62/172 PUBLIC 03/30/2009 .com/instguides SAP Components SAP Solution Manager <current release> . and the validity date of the logon data.sap. or the system security ID is invalid. READ. Give the user the authorization. More Information n on authorization object S_RFCACL see: http://help. TMW. or is logged on as the protected user DDIC or SAP*.sap. you must set—up your system landscape in the Solution Manager. BACK Before you can use these scenarios/functions.com/nw70 n on role SAP_SM_BASIC_SETTINGS.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects Return Code Explanation To Do 0 Create a corresponding user in the Invalid logon data (user and client) client system for the user in the for the trusting system server system (trusting system) The calling system is not a trusted system. Check the system time in the client and in the server.3 RFC Connections TRUSTED. The timestamp of the logon data is Synchronize the system times invalid.6 6. Create the trusted RFC connection again. see the SAP Solution Manager master guide in the Service Marketplace: http://service.2. see Roles for Basic Configuration 6.

6 6. integrate Change Request Management into the Service Desk. SID and client refer to the connected managed system. SID and client refer to the SAP Solution Manager system. for Licence Administration Workbench (LAW) and automated business partner generation l S_AI_SMD_E2E for Root Cause Analysis n TMW (SM_<SID>CLNT<Client>_TMW): remote creation of transport requests with tasks for the designated developers in the development systems. or via automatic basic settings configuration. Assigned profiles: l S_CUS_CMP for data read access l S_CSMREG for central system repository data l S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages l S_BDLSM_READ for SDCCN data (customer-specific) collection l S_KWHELP for Help Center functionality To create these RFC connections. lock customizing objects against changes in Customizing Distribution. Change Request Management. see SAP Note 176277: Generating RFC trace information. In case of RFC problems after generation. See section RFC Connection: TRUSTED n BACK (SM_<SID>CLNT<Client>_BACK): send SDCCN data or messages from a managed system to the SAP Solution Manager system. or Monitoring. Assigned profiles: l S_CUS_CMP for data read access l S_CSMREG for central system repository data l S_BDLSM_READ for SDCCN data l S_USER_GRP for user group display of all users. Service Desk. and enter analysis transactions for System Monitoring and Business Process Monitoring. SID and client refer to the connected managed system. Assigned profiles: l S_TMW_CREATE create and release transport requests in development systems. and set the project status switch to create transport requests l S_TMW_IMPORT import transport requests into test systems (empty) l S_SM_EXECUTE critical execution authorizations in managed systems n TRUSTED (SM_<SID>CLNT<Client>_TRUSTED): use of TBOMs in Test Management. Root Cause Analysis. These users are assigned to the profiles for data transfer. in Change Request Management. the system generates technical users for the RFC connection needed. SID and client refer to the connected managed system.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects n READ (SM_<SID>CLNT<Client>_READ): transfers data. Note These profiles are more or less static. in transaction SOLMAN_SETUP. for instance in Customizing Distribution. customize data transfer from the source system to the target system. when you generate the RFC in transaction SMSY. 03/30/2009 PUBLIC 63/172 .

6 6. Note For more information on the creation of RFC connections in automatic basic settings configuration.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects Example The following screen shows you the dialog box for partitions: n n n RFC generation in transaction SMSY. when you generate them.sap. These users are also automatically assigned profiles. see the configuration guide for SAP Solution Manager in the Service Marketplace: http://service. S8T is the Solution Manager system and DHZ is the managed system. which are automatically created in the managed and managing system.com/instguides SAP Components SAP Solution Manager <current release> . In this example. with three RFCs from the Solution Manager to the managed system RFCs from the managed system to the Solution Manager RFCs to be generated RFC Generation in Transaction SMSY Figure 1: The system provides users. users and password are generated automatically by the system. for the READ. If you want to use an existing user of your managed system. with or without password. 64/172 PUBLIC 03/30/2009 . TMW and BACK RFC connections. enter it.

if you want a user to be able to call function groups remotely. see sections on technical users). and end users (for more information. see section on Technical Users in managed system See SAP Note attachment: 831535 ( Used for CCMS Monitoring. technical user SMD_RFC.2 Authorizations RFC Connections to/from Managed Systems and Critical Authorization Objects 6. The following table gives an overview of the field values for the field RFC_NAME for authorization object S_RFC in profiles/roles that are assigned to technical users during RFC generation in transaction SMSY. see section on Technical Users in managing system SAP_SOLMANDIAG_E2E/ S_SMDIAG_E2E 03/30/2009 PUBLIC 65/172 . Features Profiles with Function Groups for S_RFC Role/Profile S_CUS_CMP Function Group Values in Field RFC_NAME Remarks See SAP Note attachment: 831535 ( Used for comparing customizing between systems. technical RFC Read) user READ RFC user. it needs authorization object S_RFC in the target system. RFC Read) technical user READ RFC user.2. see section on Technical Users in managing system S_CSMREG D_SOLMAN_RFC S_AI_SMD_E2E See SAP Note attachment: 831535 ( Used for Root Cause Analysis E2E in the managed system. see sections on roles for end users). and during automatic technical configuration of Solution Manager and managed systems in transaction SOLMAN_SETUP. SAP Solution Manager interacts with its managed systems mainly via RFC. so this authorization object must be assigned to certain technical users as well as end users.6 6. display only. RFC Read) see section onTechnical Users in managed system See SAP Note attachment: 831535 (RFC for SDCCN BACK User) Compositional profile for general Solution Manager RFC user. For instance. This section lists all profiles/roles with authorization object S_RFC that must be assigned to technical users (for information on technical users. see section on Technical Users in managed system See SAP Note attachment: 831535 (Diagnostics SolMan RFC) Used for Root Cause Analysis.4 Authorization Object S_RFC Authorization object S_RFC controls RFC access to function groups. technical user BACK RFC user. technical user READ RFC user.

3 Roles for Solution Manager Configuration 6. see section on Technical Users in managing system S_KWHELP See SAP Note attachment: 831535 (RFC on Help CenterTMW User) Note Authorization object S_RFC can be traced with audit log trace in transaction SM19 and SM20. fully maintained for automatic configuration. Caution Roles for basic settings configuration are delivered by SAP as template roles. maintain field ACTVT with value 36 of authorization object S_RFC_ADM. You have to configure all basic settings before you start configuring scenario-specific settings and/or Service Provider-specific settings. If it is missing. the remote login in transaction SM59 causes the RFC_NO_AUTHORITY ABAP runtime error in the target system. display of Knowledge Warehouse documents. see section onTechnical Users in managed system Used for Help Center.3 Authorizations Roles for Solution Manager Configuration Role/Profile S_SM_EXECUTE Function Group Values in Field RFC_NAME Remarks See SAP Note attachment: 831535 (RFC on Change Manager TMW User) Used for Solution Documentation Assistant and background processing of TMW — user. technical user BACK RFC user. To protect the deletion of traces.1 Roles for Basic Configuration of Solution Manager The basic settings configuration for Solution Manager is mandatory. Example The SYST function group is needed to call a system. 6.3. You can configure basic settings by using either: n SAP Reference IMG via transaction SPRO or n the automatic procedure via transaction SOLMAN_SETUP The following paragraph gives you an overview of the roles used for the two procedures. 66/172 PUBLIC 03/30/2009 . so all authorization fields without specific values contain authorization value “*”.6 6.

or copy the authorization object and maintain it according to your needs. you can deactivate this authorization object.3 Authorizations Roles for Solution Manager Configuration Features SAP Reference IMG You must assign the following roles to the user who configures basic settings: n SAP_SM_BASIC_SETTINGS This role contains all authorization objects necessary for ABAP stack. you need to either remove the authorization restriction in this authorization object. All users created during the automatic basic settings configuration. Note The authorization field ACT_GROUP is initially restricted to roles with names SAP* and ZSAP*. l S_USER_GRP If you use this role for manual configuration of the basic settings in transaction SPRO. Caution Value “*” allows full authorization for the authorization field. l S_DEVELOP If you use this role for implementing SAP Notes via SAP Notes Assistant. This is especially critical for authorization objects S_RFC (function groups) and S_TABU_DIS (cross-table maintenance for customizing). you need to either remove the authorization restriction in this authorization object. values for these authorizations cannot be delivered via a template role. l S_USER_AGR If you use this role for manual configuration of the basic settings in transaction SPRO. are assigned this user group. Note The authorization field CLASS is initially restricted to user group SAP_SM*. This user group with default naming convention <SAP_SM*> is created automatically during automatic basic settings configuration. Note After the initial configuration. Because of differences in configuration tasks. or copy the authorization object and maintain it according to your needs.6 6. you need to activate in 03/30/2009 PUBLIC 67/172 . by user SOLMAN_ADMIN. if you do not want to assign it to your user. Other security-relevant authorization objects in this role: l S_RFCACL See section Authorization Object S_RFCACL. in Solution Manager.

Automatic Basic Settings Configuration When you use the automatic basic settings configuration procedure. ZSOLMAN_ADMIN. This role is based on templates from the above roles for manual configuration via SAP Reference IMG. Note The system assigns role SAP_SM_CONF_SEC because of its critical authorization object. Recommendation You should also create an additional role for transactions SE03 and SE09.related authorization objects in authorization class CRM. you must assign these roles to your administration user. see section Roles for BI-Related Functions. n SAP_SM_BATCH This role contains authorizations for a defined user for background job processing (user SOLMAN_BTC during automatic basic settings configuration). When you modify SAP standard customizing (for instance transaction types and/or status profiles). See section Roles for BI-Related Functions.6 6. Authorization objects of this role are included in role SAP_SM_BASIC_SETTINGS. you must assign these roles to your administration user. to implement SAP Notes via transaction SNOTE. n SAP_BW_CCMS_SETUP To configure BI-related functions. you must maintain these authorization objects accordingly. See also SAP Note 1314587. to this user. You can select it during automatic basic setting configuration. the configuration user SOLMAN_ADMIN creates the following users: 68/172 PUBLIC 03/30/2009 .3 Authorizations Roles for Solution Manager Configuration authorization object S_DEVELOP activity 16. you create/use a user for administration purposes: SOLMAN_ADMIN. n SAP_SMWORK_BASICCONF_COMP This composite role contains all work center navigation roles. Note This role contains CRM . n n SAP_J2EE_ADMIN SAP_BI_E2E To configure BI-related functions. The system assigns a template role. Note Individual role SAP_SMWORK_BASIC contains all necessary OBN targets. containing all necessary authorizations. During automatic basic settings configuration.

and contains all necessary authorization for batch processing. see section on technical users in SAP Solution Manager n about work center navigation roles included in composite role SAP_SMWORK_BASICCONF_COMP.3 Authorizations Roles for Solution Manager Configuration SOLMAN_BTC n Role SAP_SM_BATCH is automatically assigned.6 6. see section Work Center Navigation Roles 6.3.2 Roles for Basic Configuration in Managed Systems The following functions require users with configuration authorization in the managed systems: n Trusted RFC Connection n Service Data Control Center n Root Cause Analysis Features Trusted RFC Connection Profile Type Remarks Authorization object S_RFCACL ABAP See sections: n Authorization Object S_RFCACL n How to Create Roles for End Users Service Data Control Center Role/Profile SAP_SDCCN_ALL / S_SDCCN_ALL Type ABAP Remarks See section Roles for Infrastructure Root Cause Analysis 03/30/2009 PUBLIC 69/172 . n SAPSUPPORT See section SAPSUPPORT User More Information n about users SOLMAN_ADMIN and SOLMAN_BTC.

6 6.3

Authorizations Roles for Solution Manager Configuration

Role

Type

Remarks

Authorization to configure Root Cause Analysis
Caution

SAP_RCA_CONF_ADMIN

ABAP

To configure Root Cause Analysis in the managed system using the automatic initial basic configuration procedure, you require authorization to create users (transaction SU01) and assign roles (transaction PFCG) in the managed system. For security reasons, we do not deliver roles for these critical transactions. You need to create these roles and assign them to the configuration user for Root Cause Analysis explicitly. For security reasons, roles for these transactions are not delivered. You have to create them yourself. See section How to Create Roles for End-Users

Administration role(s) for transaction SU01 and transaction
PFCG ABAP

6.3.3 How to Create Roles for Scenario-Specific Configuration in Solution Manager
As of SAP Solution Manager EhP1 there are no dedicated authorization roles for scenario-specific configuration. This section tells you how to create your own roles for the configuration of scenarios.
Note

Configuration of scenario—specific functions can involve configuration of cross-scenario settings. For these functions, additional configuration roles may be needed (if you do not use profile SAP_ALL). They are specified in the IMG activity for cross-scenario functions.
Caution

Exception: BI—relevant functions require additional roles for setup, see section Roles for BI—Relevant Functions.
Prerequisites

To be able to create authorization roles for scenario—specific configuration, you have created an IMG project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution Manager.

70/172

PUBLIC

03/30/2009

6 6.3

Authorizations Roles for Solution Manager Configuration

Procedure
Note

This procedure is based on the example customizing project in How to Create Customizing Projects and Project IMGs. 1. Create an IMG Project (See section More Information) Before you can create a role for scenario-specific configuration, you need to create an IMG project. This project is the basis for role configuration as it contains all transactions you run later on. 2. Create a Role in Transaction PFCG a) Choose transaction PFCG. b) Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button Single Role. c) Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of ST SP15. d) Save your role.
Note

You are asked for a transport request. 3. Define Configuration Transactions for Your IMG Project In role creation, transactions form the basis to easily maintain all necessary authorization objects. When you enter a transaction in the menu tab in your role, the system traces all authorization objects required for this transaction. a) To receive all transactions which are contained in the customizing project, choose in the menu: Utilities Customizing auth. b) In the appearing dialog box, choose button Add to attach your customizing project or customizing project view. In our case, we choose the customizing view that was created. c) In the various dialog boxes, choose your customizing project or customizing project view, in our case myproject. The system automatically assigns all relevant transactions and authorization objects for your customizing project or customizing project view. d) Confirm your project assignment. 4. Maintain Authorization Objects Authorization object defaults delivered by SAP contain minimal authorizations. To grant full authorization for the according authorization objects you need to maintain these objects. a) In the Role Maintenance, choose tab Authorizations. b) Choose button Change. c) Maintain all activity values per authorization object according to your needs, for instance if you want to grant full authorization, always choose all activities.

03/30/2009

PUBLIC

71/172

6 6.4

Authorizations Authorization Roles and Profiles for End Users

Caution

All authorization objects need to receive a green traffic light. Beware, that the authorization trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS. d) Generate the profile. e) To assign this profile to a user, choose tab User, add your user in the table and execute the user comparison. f) Save.
Result

You have now created a role for your specific IMG configuration project.
Caution

If a project or a project view was assigned to a role, you cannot manually assign any transactions to this role and vice versa. You should therefore only use the role to generate and assign Customizing authorizations.
More Information

n on: configuration and on how to create an IMG project, see: l Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace: http://service.sap.com/solutionmanager Media Library Technical Papers. l Conguration Guide for SAP Solution Manager on the Service Marketplace: http://service.sap.com/instguides SAP Components Solution Manager <current release>.

6.4 Authorization Roles and Profiles for End Users

6.4.1 Roles for Infrastructure
The following paragraph gives you an overview of the roles relevant for infrastructure.
Caution

Roles for System Landscape Directory (SLD) and so on, are not mentioned here. See the for SAP Solution Manager installation guide in the Service Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> or, for SLD, also http://sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application Management System Landscape Directory .

72/172

PUBLIC

03/30/2009

Explanation: D_SOL_VSBL with 03 + * and 02 + XXX gives authorization to display all solutions but only editing rights for one. logical components and solutions. servers. D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for solution XXX. Name SAP_SM_SOLUTION_ALL SAP_SM_SOLUTION_DIS or via Type ABAP ABAP Remark Full authorization for solutions Display authorization for solutions Example n Problem: Maintain One Solution and Display All Other Solutions User A needs to use Maintenance Optimizer for a number of systems. maintenance of systems. databases and logical components Display authorization for transaction SMSY SAP_SMSY_DISP ABAP Solution A solution can be regarded as a container for systems. Solution: Role SAP_SM_SOLUTION_DIS needs to be maintained in authorization object D_SOL_VSBL. which are in solution XXX.6 6. Note You can display the Solution ID in Work Center Solution Manager Administration Solutions transaction SOLUTION_MANAGER Solution Overview Goto Technical Information . The role for Maintenance Optimizer SAP_MAINT_OPT_ADMIN is assigned as well. according to either the business process running via various systems. Name SAP_SMSY_ALL Type ABAP Remark Full authorization for transaction SMSY. The user should not be able to change or maintain any data in other existing solutions. but should be able to display them. systems.4 Authorizations Authorization Roles and Profiles for End Users Features Data Model Name SAP_DMDDEF_DIS Type ABAP Remark Display authorization for data model System Landscape Maintenance (Transaction SMSY) In transaction SMSY you maintain databases. servers. The user is only able to work with Maintenance Optimizer for the 03/30/2009 PUBLIC 73/172 . or the system type.

and/or transfer business processes from a project to your solution. Service Connection 74/172 PUBLIC 03/30/2009 . Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained as follows: remove activities 02 + 06 (leaving 01 + 03) for solution IDs for XXX and YYY. Solution Directory The Solution Directory can be regarded as a repository for solutions. Name SAP_SOLMAN_DIRECTORY_ADMIN Type ABAP Remark Administer data in Solution Directory Maintain data in Solution Directory Display data in Solution Directory SAP_SOLMAN_DIRECTORY_EDIT ABAP SAP_SOLMAN_DIRECTORY_DISPLAY ABAP Solution Transfer Name SAP_SOLUTION_TRANSFER Type ABAP Remark Authorization to transfer solutions Note Solution Transfer: When you transfer solutions. For each solution.4 Authorizations Authorization Roles and Profiles for End Users solution with editing rights. see SAP Note 920153.6 6. The system bundles information aboot logical components and business processes at SAP. all productive data of your chosen solutions is transferred by default. This data package is only partially read and used by SAP. n Problem: Create Solution and Display Others User A should be able to create solutions and display XXX and YYY. You can then use the Internet Explorer to view this XML file. you can decide whether you want to transfer only productive data. per customer. To view the data of a solution. When you make your solution known to SAP. To disable it. its data is regularly updated by a background job. all data or no data. During transfer. Activity 03 grants display only for the specified solutions. You can specify business processes for your solution. data is download to SAP via transaction DMD_OPEN. use report RDSMOP_VIEW_SOLUTION_XML to save the information sent to SAP as an XML file on your local PC. Explanation: Activity 01 is independent of solution IDs.

Name SAP_SOL_PM_COMP Type ABAP Remarks composite role composite role composite role composite role composite role composite role Organize and plan a project Create business content and document operational activities Perform technical configuration Develop customer-specific programs and authorizations Read-only authorization for SAP Solution Manager Read user by status (document management) SAP_SOL_AC_COMP SAP_SOL_TC_COMP SAP_SOL_BC_COMP ABAP ABAP ABAP SAP_SOL_RO_COMP ABAP SAP_SOL_RE_COMP ABAP 03/30/2009 PUBLIC 75/172 . Caution Individual roles for Testing are only relevant for the standard testing functionality. see the link in IMG activity: Information and Configuration Prerequisites for System Landscape (technical name: SOLMAN_SYST_INFORMAT) 6.2 Roles for Implementation and Upgrade The Implementation and Upgrade scenario contains a number of functions in combination.6 6.4 Authorizations Authorization Roles and Profiles for End Users Name SAP_SERVICE_CONNECT Type ABAP Remark Authorizations for Service Connection and SAProuter Display authorizations for Service Connection SAP_SERVICE_CONNECT_DISP ABAP More Information for a detailed explanation of roles for infrastructure.4. Composite roles are a set of individual roles that are relevant for the business role. Features Implementation and Upgrade Functions in the Solution Manager System Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP) for business-related roles such as Project Manager (technical abbreviation: *_PM_*) or Technical Consultant (technical abbreviation: *_TC_*). Other features can complement the possible functions. There are additional roles for Test Management in: Roles for Test Management.

to use E-Learning management tool Document Management Roles in SAP Solution Manager System You can control the access rights to documents in the project by assigning authorizations for groups of documents. edit.4 Authorizations Authorization Roles and Profiles for End Users Example n Problem: Restrict System Landscape The system administrator creates the system landscape for your project. to: n administer. the user should have the value 03 (display) for authorization object S_PROJECT. Solution: In role SAP_SOL_PROJ_ADMIN_* ( in composite role SAP_SOL_*_COMP).6 6. the user should have the value 03 (display) for authorization object S_PROJECT. and the value PROJ (project) for authorization object S_CTS_ADMI. create. n Problem: Change Request Management Activation The technical consultant for the implementation of Change Request Management in the project is responsible for activating the functionality in a template project. Solution: In role SAP_SOL_PROJ_ADMIN_* ( in composite role SAP_SOL_*_COMP). for instance you can specify that only the project management can change documentation templates. in the project administration. and the value SYST (access to system landscape maintenance in a project) for authorization object S_PROJ_GEN. This can be done in the project administration (transaction: SOLAR_PROJECT_ADMIN). S_CTS_ADMI E-Learning Management Name Type Remarks SAP_SOL_TRAINING_ALL SAP_SOL_TRAINING_EDIT ABAP ABAP Individual role (in SAP_SOL* composite roles). The project manager maintains all other data for the project. create. Your system administrator should not have access to other project data than the system landscape information. and delete documents during implementation and upgrade n administer. but the user should not be able to maintain any other data for the project. Name Type Remarks SAP_SOL_KW_ALL ABAP Individual role (in SAP_SOL* composite roles). in the project administration. The system saves Solution Manager documents in folders. and delete documents in test management n use Help Center functionality (authorization object S_IWB with full authorization) 76/172 PUBLIC 03/30/2009 . edit. to use E-Learning management tool Individual role (in SAP_SOL* composite roles).

in authorization object C_SIGN_BGR. This authorization object is contained in all Document Management single roles. If you want restrict this authorization for a special project. the user has the authorization value PROD for field SIGNAUTH.6 6. but not for the authorization group QUAL (quality assurance).4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks Individual role (in SAP_SOL* composite roles). assign the project (ID) to field IWB_FLDGRP (Folder Group). Solution: This can be controlled with the authorization object S_IWB and the activity 95. 03/30/2009 PUBLIC 77/172 . see also IMG — activity Assign Status Values for Read Authorization (technical name: SOLMAN_DOC_READAUTHO) Example SAP_SOL_KW_READ SAP_SOL_KW_DIS ABAP ABAP You can specify that a user can only display documents with the status Released. You can display versions of a document with specified status values. to: n display documents during implementation and upgrade n display Help Center functionality n display documents in test management (authorization object S_IWB with activity 03) Corresponding Roles in Managed Systems Name SAP_BC_WDHC_ADMINISTRATOR SAP_BC_WDHC_POWERUSER Type ABAP ABAP Remarks Authorization to administer Help Center in managed system Authorization to use Help Center in managed system Access to Knowledge Warehouse folders is controlled by the authorization object S_IWB. to read documents. Individual role (in SAP_SOL* composite roles). but not with status Review. Caution You should keep the default values in the field IWB_AREA (area). n Problem: Document Management: Unlock Documents You want to allow a user to unlock documents which are locked by a status schema. Example n Problem: Digital Signature: Restrict by Authorization Group User A can sign for the authorization group PROD (production). see above table column Remarks. (authorization object S_IWB with activity 33) . Solution: In role SAP_SOL_KW_*.

Solution: This can be done with the combination of folder group and project authorizations. Profiles start with S_*. Roles and profiles for managed systems are delivered with Software Component SAP_BASIS. You restrict the following authorization objects: l S_PROJECT with field PROJECT_ID l S_IWB and S_IWB_ATTR with field IWB_FLDGRP Changing of Roadmaps Name Type Remarks SAP_RMDEF_RMAUTH_EXE SAP_RMDEF_RMAUTH_DIS ABAP ABAP For administration: change roadmaps (in addition to SAP_SOL_*_COMP) For display : display roadmaps (in addition to SAP_SOL_*_COMP) Solution Documentation Assistant Name Type Remarks SAP_SDA_ALL SAP_SDA_DIS ABAP ABAP Full authorization: needs to be added to according composite Implementation and Upgrade (SAP_SOL_*_COMP) and work center navigation role Display authorization: needs to be added to composite Implementation and Upgrade (SAP_SOL_*_COMP) and work center navigation role Implementation and Upgrade Functions in Managed Systems Some functions require roles or profiles in the managed systems. 78/172 PUBLIC 03/30/2009 . is assigned to the project. and its name. Note SAP—delivered roles start with SAP namespace SAP. the system puts them in a folder group which is assigned to the project. n Problem: Document Management: Restrict Project You want users who are assigned to a project to only be able to search for. When documents are created for a project.6 6. edit or display the documents for this project. for instance the folder group with the name XYZ.4 Authorizations Authorization Roles and Profiles for End Users Documents remain locked during signature procedure.

03/30/2009 PUBLIC 79/172 .4. The systems are connected by RFC. It contains two use cases: n Clearing Analysis n Upgrade/Change Impact Analysis Note See use case description in the Application Help for SAP Solution Manager in the Help Portal: http://help.com SAP Solution Manager . Both use cases involve several systems.3 Roles for Custom Development Management Cockpit Custom Development Management Cockpit can be accessed from the Implementation and Upgrade work centers.6 6. authorization object S_RFC is missing and needs to be maintained (transaction PFCG). see SAP note 505603 Activate BC Sets Create BC Sets Administration of BC Sets S_CUS_CMP Customizing Scout and System Landscape BC Sets SAP_SOLAR_SATELITE_SCOUT SAP_SOLAR_SATELITE_SMSY SAP_BCS_ACTIV SAP_BCS_CREAT SAP_BCS_ADMIN More Information n see IMG activity: Information and Configuration Prerequisites for Implementation (technical name: SOLMAN_RECOMMEND) n see IMG activity: Information and Configuration Prerequisites for Solution Documentation Assistant (technical name: SOLMAN_SDA_INFO) 6.sap. Values: n ACTI: 16 n RFC_NAME: S_SOLAR_RFC_00 n RFC_TYPE: FUGR SAP_BC_CUS_CUSTOMIZER To change customizing settings.4 Authorizations Authorization Roles and Profiles for End Users Functionality Role/Profile SAP_BC_CUS_ADMIN Remarks Customizing Distribution and Comparison Administration of customizing projects. useSAP_BC_CUS_ADMIN Customizing Scout System Landscape Activate BC Sets.

Composite roles for implementation and upgrade contain individual roles for individual functions. It contains only the authorizations necessary for the tasks carried out on the statistics system (activation of statistics collection. determination of empty tables. such as product manager or application consultant. see the master guide for SAP Solution Manager in the Service Marketplace: http://service.4. See Roles for Implementation and Upgrade in this document. import of the collected statistics to the control center.sap. which contain the function Testing. are included in the composite roles for implementation and upgrade. Test Workbench (Workflow) in the Solution Manager System 80/172 PUBLIC 03/30/2009 .4 Authorizations Authorization Roles and Profiles for End Users Features Custom Development Management Cockpit Name SAP_CDMC_USER Type ABAP Remarks Execution authorization for CDMC Administration authorization for CDMC including maintaining global settings and deleting CDMC projects This role can be used for the technical user for the RFC connection to the statistics system in Clearing Analysis. For detailed information about the scenario.4 Roles for Test Management Test Management includes all functions relevant for testing.6 6. Features Test Management in the Solution Manager System Name SAP_SOL_TESTER_COMP Type ABAP Remarks composite role Perform tests Caution Basic roles for other target groups.com/instguides SAP Components SAP Solution Manager <current release> . syntax check for source code objects) SAP_CDMC_MASTER SAP_CDMC_STAT_SYSTEM ABAP ABAP 6.

Name SAP_SM_BPCA_RES_ALL Type ABAP Remarks result execution authorization BPCA BPCA result display authorization BPCA TBOM execution authorization BPCA TBOM display authorization SAP_SM_BPCA_RES_DIS SAP_SM_BPCA_TBOM_ALL SAP_SM_BPCA_TBOM_DIS ABAP ABAP ABAP Note You must use the roles for Business Process Change Analysis in combination with: n the composite roles for the scenario Upgrade and Implementation and/or Test Management. See Test Management Work Center. authorization to create business partners Display workflow SAP_STWB_WORKFLOW_DIS ABAP Note You must use the roles for Test Workbench Workflow in combination with the composite roles for the scenarios Upgrade and Implementation and Test Management. Test Management Roles in Managed Systems Some functions in Test Management require corresponding roles or profiles in the managed systems. Note Roles delivered by SAP start with SAP namespace SAP. Business Process Change Analysis (BPCA) in the Solution Manager System This function is called via the Test Management work center. see Roles for Implementation and Upgrade.4 Authorizations Authorization Roles and Profiles for End Users Name SAP_STWB_WORKFLOW_CREATE SAP_STWB_WORKFLOW_ADMIN Type ABAP ABAP Remarks Use workflow Administration workflow. Function CATT Role/Profile SAP_BC_CAT_TESTER SAP_BC_CAT_TESTORGANIZER Remarks Testing with CATT Test Organization with CATT See SAP note 519858 eCatt 03/30/2009 PUBLIC 81/172 . if you work with solutions.6 6. Roles and profiles for managed systems are delivered with Software Component SAP_BASIS. Profiles start with S_*. n SAP_SM_SOLUTION_*. see Roles for Infrastructure.

6 6.4

Authorizations Authorization Roles and Profiles for End Users

Function

Role/Profile
SAP_TWB_TESTER SAP_TWB_COORDINATOR SAP_TWB_ADMINISTRATOR

Remarks

Test Workbench

Testing with Test Workbench Coordination with Test Workbench Administration with Test Workbench

Reporting Test Management in BI Client
Name
SAP_BI_TWB

Type
ABAP

Remarks

If you use an external BI system for Solution Manager reporting, you need to download this role to your PC, and upload it to your dedicated BI system, see section Roles for BI-Related Functions This role is generally needed for BI—related functions, see section Roles for BI-Related Functions

SAP_SM_BI_EXTRACTOR

ABAP

More Information

n see IMG activity: Information and Configuration Prerequisites for Test Management (technical name: SOLMAN_INFO_TEST) n see activity: Information and Configuration Prerequisites for Test Workbench (technical name: SOLMAN_TEST_WF_INFO)
IMG

6.4.5 Roles for System Monitoring and System Administration
Roles for System Monitoring and System Administration include setup and/or operations of EarlyWatch Alert; Service Level Reporting, System Monitoring, and Central System Administration. The roles SAP_SV_SOLUTION_MANAGER (full authorization) and SAP_SV_SOLUTION_MANAGER_DISP (display authorization) have authorization for all functions/sessions. To grant authorization for all sessions in setup use SAP_SETUP_DSWP, and for operations, SAP_OP_DSWP.
Note

Each session type is identified by a bundle ID. To get the bundle ID for a session type: 1. Open the session in the Solution Manager. 2. Choose Goto Technical Information . The bundle ID is in the field Session Package/Version.

82/172

PUBLIC

03/30/2009

6 6.4

Authorizations Authorization Roles and Profiles for End Users

Features

Roles and Profiles for Service Data Control Center (Transaction SDCCN) in the Solution Manager System and Managed System Roles/profiles for Service Data Control Center (SDCCN) are relevant for EarlyWatch Alert. SDCCN must be active in the Solution Manager system and in the managed systems.
Note

Roles and profiles for managed systems are delivered with Software Component ST-PI. For systems with SAP NW >=6.10, use SDCCN roles (for instance SAP_SDCCN_ALL), for systems with SAP NW < 6.10, use profiles (for instance profile S_SDCCN_ALL).
Role Name Profile Name Type Remarks

SAP_SDCCN_ALL

S_SDCCN_ALL

ABAP

Service Data Control Center Administration, change setup Service Data Control Center display only Maintain Service Data Control Center

SAP_SDCCN_DIS SAP_SDCCN_EXE

S_SDCCN_DIS S_SDCCN_EXE

ABAP ABAP

EarlyWatch Alert in Solution Manager
Name Type Remarks

SAP_SETUP_DSWP_EWA SAP_OP_DSWP_EWA

ABAP ABAP

Full authorization for Early Watch Alert session in operations setup (according to bundle ID) Full authorization for EarlyWatch Alert session in operations (according to bundle ID)

Central System Administration in Solution Manager
Name Type Remarks

SAP_SETUP_DSWP_CSA SAP_OP_DSWP_CSA

ABAP ABAP

Full authorization for Central Service Administration session in operations setup (according to bundle ID) Full authorization for Central Service Administration session in area operations (according to bundle ID)

03/30/2009

PUBLIC

83/172

6 6.4

Authorizations Authorization Roles and Profiles for End Users

Example

n Problem: Restrict Session The authorization object D_SOLMANBU controls the activities allowed for each session (bundle ID). You want to restrict access to the self-service SAP EarlyWatch Health Check. SAP delivers no default role for this session. Solution: Copy role SAP_OP_DSWP, and maintain authorization object D_SOLMANBU. Enter bundle ID EW_SELF. n Problem: Restrict Monitoring Graphic You want the user to able to display the monitoring graphic, but you want to grant no further access to alerts or CSA sessions. Solution: Rremove activities 80 and 81 from role SAP_OP_DSWP in authorization object D_SOLM_ACT . System Monitoring in Solution Manager
Name Type Remarks

SAP_SETUP_DSWP_SM SAP_OP_DSWP_SM

ABAP ABAP

Full authorization for System Monitoring session in operations setup (according to bundle ID) Full authorization for System Monitoring session in area operations setup (according to bundle ID)

System Monitoring and/or Central System Administration in Managed Systems
Name
SAP_BC_BASIS_ADMIN

Type
ABAP

Remarks

Contains main transactions for basis administration

Service Level Reporting in Solution Manager
Name
SAP_SETUP_DSWP_SLR

Type
ABAP

Remarks

Full authorization for Service Level Reporting session in operations setup (according to bundle ID) Full authorization for Service Level Reporting session in operations (according to bundle ID)

SAP_OP_DSWP_SLR

ABAP

Solution Reporting in Solution Manager

84/172

PUBLIC

03/30/2009

Features The following roles are relevant for the Master Data Management (MDM) Administration Cockpit: Issue Management 03/30/2009 PUBLIC 85/172 .4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks SAP_SOL_REP_ADMIN SAP_SOL_REP_DISP ABAP ABAP Authorization for reporting and maintaining system availability data Authorization for report execution and display only More Information see IMG activity: Information and Configuration Prerequisites for System Monitoring and Administration (technical name: SOLMAN_SYSADM_INFO) 6. see section System Administration Work Center.4.6 Roles for Downtime Management This paragraph gives you an overview of the roles for Downtime Management.6 6.4.7 Roles for Master Data Management You can use the Master Data Management (MDM) Administration Cockpit in Solution Manager via the System Administration work center. Features Downtime Management Name SAP_SM_DTM_ALL Type ABAP Remarks Full authorization for Downtime Management Display authorization for Downtime Management SAP_SM_DTM_DIS ABAP 6.

Integration MDM is tightly integrated with the Database Administration (DBA) Cockpit and Downtime Management (DTM). repair repository Execution authorization for authorization object MDM_ADMIN Display authorization for authorization object MDM_ADMIN SAP_SM_ADMIN_COMPONENT_EXE SAP_SM_ADMIN_COMPONENT_DIS ABAP ABAP Main authorization object is MDM_ADMIN. This authorization allows you to delete all RFC destinations of type G (HTTP to external server). Allows the user to see the list of MDM servers and repositories for a MDM system and their status in the MDM Administration Cockpit: n Display status of MDM servers n Start and stop MDM server n Display status of MDM repositories n Load / unload MDM repository n Archive. see section Roles for Database Administration Cockpit. a user cannot perform the activity with the MDM Administration Cockpit. Note The roles do not substitute the MDM repository security concept but extend it to the ABAP environment. Otherwise. except the RFC destination with naming convention MDM*. Caution Roles SAP_SM_ADMIN_COMPONENT_ALL and SAP_SM_ADMIN_COMPONENT_EXE contain authorization object S_RFC_ADM with activity 06 delete. If you use DBA with MDM.6 6. The MDM repository role assigned to the user should allow at least the same activities that are allowed by the SAP_SM_ADMIN_COMPONENT_* role. you need to assign the DBA roles.4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks SAP_SM_ADMIN_COMPONENT_ALL ABAP Full authorization for all activities for authorization object MDM_ADMIN. 86/172 PUBLIC 03/30/2009 . See also SAP Note 1270045. verify.

6 6.4. see section Roles for Third Party Integration. Note For roles required for integration with Service Desk and/or Change Request Management.8 Roles for Database Administration Cockpit You can access the Database Administration (DBA) Cockpit via the Master Data Management Administration Cockpit and the System Administration and Root Cause Analysis work centers in Solution Manager.4 Authorizations Authorization Roles and Profiles for End Users 6. profile S_DBA_DISP Display authorization for DBA Cockpit 6.4. More Information see IMG activity: Information and Configuration Prerequisites for Job Scheduling Management (technical name: SOLMAN_JSCHED_INFORM) 03/30/2009 PUBLIC 87/172 . Features Job Scheduling Management Name SAP_SM_SCHEDULER_ADMIN Type ABAP Remarks Full authorization including communication to external tool Execution authorization including communication to external tool Display authorization SAP_SM_SCHEDULER_EXE SAP_SM_SCHEDULER_DIS ABAP ABAP Integration Job Scheduling Management can be integrated with SAP CPS. see sections: Roles for Service Desk and Roles for Change Request Management. Features Database Administration Name Type ABAP Remarks Role SAP_DBA_DISP.9 Roles for Job Scheduling Management Roles for Job Scheduling Management are listed below.

Open the session in the Solution Manager. Choose Goto Technical Information . The bundle ID is in the field Session Package/Version. you need to select DVM in the authorization object. Features Business Process Operations Name Type Remarks SAP_SETUP_DSWP_BPM SAP_OP_DSWP_BPM ABAP ABAP Full authorization for Business Process Operations session in operations setup (according to bundle ID) Full authorization for Business Process Operations session in operations (according to bundle ID) Full authorization for all sessions in operations and operations setup Display authorization for all sessions in operations and operations setup SAP_SV_SOLUTION_MANAGER ABAP SAP_SV_SOLUTION_MANAGER_DISP ABAP You can restrict access to Data Consistency Management and Data Volume Management (see section Work Center Business Process Operations). If you want to use Data Volume Management.10 Roles for Business Process Operations Business Process Operations roles are listed below.4 Authorizations Authorization Roles and Profiles for End Users 6. using authorization object SM_BPM_AUT. More Information see IMG activity: Information and Configuration Prerequisites for Business Process Monitoring (technical name: SOLMAN_BPM_INFO).6 6. Note Each session type is identified by a bundle ID which must be in entered in fieldDSWPBUNDLE in authorization object D_SOLMANBU.4. Per default Data Volume Management (DVM) is deselected. You can get the bundle ID for a session type as follows: 1. 2. 88/172 PUBLIC 03/30/2009 .

Name Type Remarks Authorizations include: n assign to a solution logical components and systems. which contain a number of individual roles. See User SAPSUPPORT in this document. You should assign these roles to the user in your system which you created for SAP Support employees. SAP provides two main composite roles which contain a number of individual roles. SAP_SOLMAN_ONSITE_ALL_COMP grants more authorization than to SAP_SOLMAN_ONSITE_COMP. You can assign either SAP_SOLMAN_ONSITE_ALL_COMP or SAP_SOLMAN_ONSITE_COMP.4 Authorizations Authorization Roles and Profiles for End Users 6. business processes and steps n open Business Process maintenance. but not create or edit n full authorization for Issue Management n create projects n create scenarios.6 6. run transactions n transaction for System Landscape Optimization (SLO) Analytic Service Note SAP_SOLMAN_ONSITE_COMP ABAP composite role Extra authorization object is not required. Note See also SAP Note 872800.4. Features SAP Engagement and Service Delivery For SAP Engagement and Service Delivery. Role SAP_SOLMAN_ONSITE_ALL_COMP is automatically assigned to user SAPSUPPORT during automatic configuration of Solution Manager basic settings. The following paragraphs give you an overview of the two composite roles and their individual roles.11 Roles for SAP Engagement and Service Delivery You can assign roles for SAP Engagement and Service Delivery to your end-users and SAP Support employees. contact maintenance and services n full authorization for reporting (transaction SOLAR_EVAL) n full authorization for Test Management n display Root Cause Analysis. Roles for SAP Engagement and Service Delivery are composite roles. as execution 03/30/2009 PUBLIC 89/172 .

and systems n change authorization for Data Transfer Configuration n authorization for transactions SE16 and SU01D n transaction for System Landscape Optimization (SLO) Analytic Service see section User SAPSUPPORT Example You want SAP employees to support you.sap. which is protected.6 6. In this case.com/instguides SAP Components SAP Solution Manager <current release> n on roles for SAP Change and Transport Analysis Sessions.4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks requires GUID. logical components or solutions in your system. see configuration guide for Solution Manager in the Service Marketplace: http://service. please include the according single role into the composite role according to your requirements. see SAP Note 1074808 90/172 PUBLIC 03/30/2009 . see: SAP Note 872800 Note If one of the single roles mentioned is not contained in the composite role. The system does not store data of previous runs see section User SAPSUPPORT SAP_SOLMAN_ONSITE_ALL_COMP ABAP composite role Additional and extended authorizations include: n create solutions. logical component. n on basic configuration of SAP Solution Manager. More Information n for up-to-date information on SAP Engagement and Service Delivery roles for SAP Support employees. but they should not be able to create systems. you grant composite role SAP_SOLMAN_ONSITE_COMP.

see IMG activity: Information and Configuration Prerequisites for Issue Management (technical name: SOLMAN_ISSUE_INFORMA) 6.4. you also need the role SAP_PPF_CONFIGURATOR Authorization for message (notification) processing. Features Issue Management Name SAP_ISSUE_MANAGEMENT_ALL Type ABAP Remarks Full authorization for Issue Management Operations authorization for Issue Management Display authorization for Issue Management SAP_ISSUE_MANAGEMENT_EXE SAP_ISSUE_MANAGEMENT_DIS ABAP ABAP More Information about Issue Management.13 Roles for Service Desk These roles allow your end users to use the Service Desk.4 Authorizations Authorization Roles and Profiles for End Users 6. and SAP_SUPPDESK_CREATE Note SAP_SUPPDESK_ADMIN ABAP To maintain actions.4.12 Roles for Issue Management The following paragraph gives you an overview of roles for Issue Management. Features Service Desk Name Type Remarks Authorization to configure the Service Desk. and authorizations for the roles: SAP_SUPPDESK_PROCESS. including the use of the solution database SAP_SUPPDESK_PROCESS ABAP 03/30/2009 PUBLIC 91/172 . SAP_SUPPDESK_DISPLAY.6 6.

Display user SAP_SUPPDESK_DISPLAY ABAP More Information for Service Desk.4 Authorizations Authorization Roles and Profiles for End Users Name SAP_SUPPDESK_CREATE Type ABAP Remarks Create support messages from the satellite systems or in the central SAP Solution Manager system. SAP_MAINT_OPT_DISP SAP_MAINT_OPT_ADD ABAP ABAP 92/172 PUBLIC 03/30/2009 .6 6. downloading.14 Roles for Change Control (Maintenance Optimizer) The Maintenance Optimizer guides you through the planning. and implementation of SAP support packages and patches for your managed systems. for Service Provider. see IMG activity Information and Configuration Prerequisites for Service Provider (technical name: SOLMAN_SERVICEDESKINFO).4. If a generic RFC user creates notifications in the SAP Solution Manager system (the user is specified in the RFC destination in transaction SM59 in the managed satellite systems). Features Maintenance Optimizer Name SAP_MAINT_OPT_ADMIN Type ABAP Remarks Full authorization for Maintenance Optimizer Display authorization for Maintenance Optimizer Authorization to write Stack Delta XML folder into the EPS Outbox of the operating system of Solution Manager (Stack Delta XML folders are relevant for JSPM (Java Support Package Manager) and SAP Jup (SAP Java Upgrade) in Java systems. 6. see IMG activity Information and Configuration Prerequisites for Service Desk (technical name: SOLMAN_SD_INFORMATIO). you only have to assign the role to this generic RFC user.

to physical transport of changes from the development environment into the productive environment. This procedure is in the function Change Request Management. More Information see IMG activity: Maintenance Optimizer (technical name: SOLMAN_MAINT_OPTIMIZ). 6. task lists Import corrections into the production system. from change management and project planning.6 6.15 Roles for Change Request Management Change Request Management manages your entire SAP Solution Manager projects (maintenance. test and validate corrections Import corrections into the production system. see section Roles for Change Request Management. Approve imports into the production systems SAP_CM_DEVELOPER_COMP ABAP composite role composite role composite role SAP_CM_TESTER_COMP ABAP SAP_CM_OPERATOR_COMP ABAP SAP_CM_PRODUCTIONMANAGER_COMP ABAP composite role 03/30/2009 PUBLIC 93/172 .4. you can start a guided procedure to install your downloaded packages. and upgrade). Roles for Change Request Management are business-oriented. through resource management and cost control. corrections in the maintenance and development systems Test corrections in the test system. Features Change Request Management Name SAP_CM_CHANGE_MANAGER_COMP Type ABAP Remarks composite role Approve or reject change requests Corrections in the development system. implementation.4 Authorizations Authorization Roles and Profiles for End Users Integration In the planning phase of Maintenance Optimizer. template.

the task list administrator in Change Request Management deals with the administrative and technical side of maintenance cycles and urgent corrections.4 Authorizations Authorization Roles and Profiles for End Users Name SAP_SOCM_REQUESTER SAP_CM_ADMINISTRATOR_COMP Type ABAP ABAP Remarks Create change requests composite role Customize and check Change Request Management functions.6 6. in particular. administrative and technical maintenance. the Schedule Manager task lists Schedule Manager Developer Tester Prod. Manager Operator Administrator Display Create Change Delete Run Change status X X X X X X X X X X X X X X X X X X X Quality Gate Management (only relevant for Change Request Management Work Center) Name SAP_SM_QGM_ALL SAP_SM_QGM_TRANSPORT SAP_SM_QGM_STATUS_QM SAP_SM_QGM_STATUS_QAB Type ABAP ABAP ABAP ABAP Remarks Quality Gate Manager User for Transport Activities User to Set Q-Gate Status (QM) User to Set Q-Gate Status (QAB) Roles and Profiles in Managed System 94/172 PUBLIC 03/30/2009 .

It also indicates which roles are required for real users when using trusted RFC destinations: Transport Methods Create Request Create Task Release Task Release Request Import Request User in Target Client User in Client 000 SOLTMW<SID><CLNT> X X X X User Operator. 03/30/2009 PUBLIC 95/172 .Developer. and no authorization to release transport requests. Authorizations for operators. no configuration authorizations Authorizations for administrators. but to create and release tasks. Administrator ministrator Operator. role and profile contain CTS authorizations for administrators: all authorizations in the CTS (including configuration) SAP_CHANGEMAN_OPERATOR S_TMW_OPERA SAP_CHANGEMAN_ADMIN S_TMW_ADMIN The following table shows which transport methods are assigned to the background users in the target client and in client 000. Administrator TMSADM User Note (*) If you want developers in the Change Request Management scenario to start imports into a test system automatically. Operator. You have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL. in Change Request Management. role and profile contain CTS authorizations for operators: all transport authorizations.4 Authorizations Authorization Roles and Profiles for End Users Role (Release >= 610) SAP_CHANGEMAN_DEVELOPER Profile (Release< 610) S_TMW_DEVELO Remarks Authorizations for developers. Do not use this method in production systems or in any other security-critical systems.ministrator ministrator X Operator. The system where you want to start the import automatically must have the same transport directory as its preceding system.6 6. Ad. you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Ad.Operator. Ad. role and profile contain CTS authorizations for developers: no authorization to create transport requests. which are in S_CTS_ADMI.

but also for the whole landscape (including the production system). the user who starts the import would need addtobuffer authorization for buffer adjustment. Caution n You can now possible start an import into this system from any satellite system in your domain with the CPIC user TMSADM. you have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL. Since S_TMW_IMPORT does not contain any authorization objects. The TMS remote infrastructure is based on RFC connections that point only to the client 000 of a target system. which are also in the authorization object S_CTS_ADMI. and in the client 000 of these systems. you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. n Automatic Imports Imports must sometimes be performed automatically in test systems. If you want developers in the Change Request Management scenario to start imports into a test system automatically. so operators and administrators must have users in both the client into which changes are imported.4.6 6. Roles need to be assigned in the following systems: n Solution Manager system n managed systems n BI client Features Roles/Profiles in Solution Manager System 96/172 PUBLIC 03/30/2009 . 6.16 Roles for Root Cause Analysis The following tables display all roles needed for end users for Root Cause Analysis (roles for technical users such as user SMD_RFC.4 Authorizations Authorization Roles and Profiles for End Users Integration n Import Authorization Checks Change Request Management uses the import functions of the Transport Management System (TMS). If the transport directories were different. so do not use this method in production or other security-critical systems n The system where you want to start the import automatically must have the same transport directory as its preceding system. see sections on technical users). which would present a security risk not only for the system concerned.

Copy it into your own namespace and maintain it. You can use this role in SAP namespace. Profile is automatically assigned during Guided Procedure of Automatic Basic Configuration of Solution Manager Role is in SAP_SOLMAN_ONSITE_ALL_COMP Example A special user group for a certain application of RCA should be granted: n n Profile S_DBA_DISP corresponds to role SAP_DBA_DISP SAP_SMDIAG_WIZARD ABAP SAP_RCA_DISP ZSAP_RCA_EXE Authorization to display DBA Cockpit Authorization to transfer data from Solution Manager to Root Cause Analysis tool Authorization to edit templates in the Solution Manager system Assigned to user SAPSUPPORT for all E2E RCA tools Assigned to user SAPSUPPORT for E2E RCA tools Configuration and Availability ABAP SAP_SMDIAG_TEMPLATE ABAP SAP_JAVA_SUPPORT UME SAP_JAVA_NWADMIN_CENTRAL_READONLY UME Roles in Managed Systems 03/30/2009 PUBLIC 97/172 .4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks Contains the required authorizations for user SAPSUPPORT for E2E RCA tool Exceptions. This role contains delta authorizations to SAP_RCA_DISP.6 6. Caution Profile S_RCA_DISP corresponds to role SAP_RCA_DISP Profile S_RCA_EXE corresponds to role SAP_RCA_EXE ABAP ABAP You must not alter this role. Profile is automatically assigned during Guided Procedure of Automatic Basic Configuration of Solution Manager Role is in SAP_SOLMAN_ONSITE_ALL_COMP for user SAPSUPPORT. see SAP Note 828533. as it contains all mandatory authorizations for the SAPSUPPORT user. Contains application-relevant authorizations for Root Cause Analysis.

see SAP Note 1042450.com/instguides SAP Components SAP Solution Manager <current release>. SAP_XI_DISPLAY_USER. see section User SAPSUPPORT. and Availability Assigned to user SAPSUPPORT for E2E RCA tools Configuration and Availability SAP_JAVA_SUPPORT UME SAP_JAVA_NWADMIN_CENTRAL_READONLYUME Role in BI Client Name SAP_BI_E2E Type ABAP Remark For BI Reporting via Root Cause Analysis.sap. Configuration.com/instguides SAP Components SAP Solution Manager <current release>. to display RCA transactions for E2E RCA tools Exceptions and Traces Profiles are automatically assigned during Guided Procedure of Automatic Basic Configuration of Solution Manager Assigned to user SAPSUPPORT for E2E RCA tools Exception.40 SP15. see master guide for SAP Solution Manager in the Service Marketplace: http://service.6 6. SAP_XI_MONITOR Roles for XI application> UME /J2EE Role SAP_RCA_SAT_DISP ABAP Assigned to user SAPSUPPORT. corresponds to profile S_SMDIAG_BI More Information n for general information about Root Cause Analysis. 98/172 PUBLIC 03/30/2009 .4 Authorizations Authorization Roles and Profiles for End Users Name Type J2EE Remark Roles for system information and SQL Trace> Assigned to user SAPSUPPORT. Traces. n for SAPSUPPORT user.sap. see SAP Solution Manager configuration guide in the Service Marketplace: http://service. see SAP Note 1042450 Assigned to user SAPSUPPORT. only for managed system with XI. only for managed systems with Java stack < 6. n for Solution Manager configuration. assigned to user SAPSUPPORT.

IT Performance reporting and Service Sessions. see the Master Guide for SAP Solution Manager on the SAP Service Marketplace: htpp://service. 03/30/2009 PUBLIC 99/172 .17 Roles for BI-Related Reporting reporting is relevant for several scenarios.4 Authorizations Authorization Roles and Profiles for End Users 6. BI Prerequisites You have defined your BI — client. For instance.6 6. download this role from SAP Note 1260676 Test Workbench SAP_BI_TWB / SAP_SM_BI_EXTRACTOR ABAP authorization to run E2E Diagnostics reporting (RCA). It can be executed remotely in the managed system. see section Roles for Test Management BI IT Performance Reporting and KPI Reporting Execution SAP_BW_CCMS_REPORTING SAP_SM_BI_EXTRACTOR ABAP Authorization for reporting Note / If your BI client is the Solution Manager client. BI−relevant roles Name Type Remarks E2E Diagnostics SAP_BI_E2E / SAP_SM_BI_EXTRACTOR Caution SAP_BI_E2E: as of EhP1. it is used for Test Workbench. For more information about planning aspects regarding the setup of your BI — client. or locally in the managing system.sap. See also section Work Center System Monitoring.com/instguides SAP Components SAP Solution Manager <current release> . you can assign the following roles instead: SAP_OP_DSWP_SM / SAP_SM_SOLUTION_* / SAP_SM_BI_EXTRACTOR. The following roles must be assigned for BI reporting. Features BI reporting uses the Extractor Framework (EFWK). The extractor is relevant for collecting data for BI reporting. See section Roles for Root Cause Analysis BI ABAP authorization for Test Workbench reporting. It is restricted by authorization object AI_DIAGE2E.4.

you can assign the following roles instead: SAP_SETUP_DSWP_SM / SAP_SM_SOLUTION_* / SAP_SM_BI_EXTRACTOR. More Information see IMG activity Information and Configuration Prerequisites for BI (technical name: SOLMAN_BI_CLIENT_INF) 6. EarlyWatch Alert Session SAP_SM_BI_EXTRACTOR ABAP Authorization for user of job: SM:EXEC SERVICES Note Job is scheduled during setup of Solution Manager. and upload it to your BI system. Choose in the transaction PFCG menu Roles Upload/Download . Note Role SAP_SM_BI_EXTRACTOR allows use of extractor during setup of all BI-relevant reporting. you need to maintain the values for field CCMSBI_SCE. 100/172 PUBLIC 03/30/2009 . See also section Work Center System Monitoring.6 6.18 Role for TREX Administration TREX can be administered using the TREX Admin Tool. If you want to restrict authorization to one of these functions.4. This role contains the following authorization objects: n n AI_DIAGE2E AI_CCMSBI Authorization object AI_CCMSBI is delivered with full authorization for KPI reporting and Test Workbench reporting.4 Authorizations Authorization Roles and Profiles for End Users Name Type ABAP Remarks Setup SAP_BW_CCMS_SETUP / SAP_PI_CCMS_SETUP Authorization to setup reporting Note / SAP_SM_BI_EXTRACTOR If your BI client is the Solution Manager client. If you use an external BI system. you must download role SAP_SM_BI_EXTRACTOR from the Solution Manager system to your PC.

for instance SAP_SUPPDESK_ADMIN SAP Quality Center by HP (Test Management) 03/30/2009 PUBLIC 101/172 .19 Roles for Third Party Integration The following functions have interfaces to third party systems: n n n n n n Service Desk of any third party system Service Desk Test Management to Test Management by SAP Quality Center by HP Service Desk to Defect Management by SAP Quality Center by HP Job Scheduling Management with SAP Central Process Scheduling by Redwood SAP Productivity Pak by RWD BMC AppSight for SAP Client Diagnostics Prerequisites To use a third party system.6 6.4. such as SAP Quality Center by HP or SAP Central Process Scheduling by Redwood. you need the corresponding adapter.com/instguides Components SAP Solution Manager <current release> . Features SAP Service Desk Interface Name SAP_SUPPDESK_INTERFACE Type ABAP Remarks Authorization for bi-directional interface and configuration.sap. needs to be assigned in addition to the roles for the Service Desk scenario. Note See SAP Solution Manager Configuration Guide http://service.4 Authorizations Authorization Roles and Profiles for End Users Features TREX Name SAP_BC_TREX_ADMIN Type ABAP Remarks For TREX configuration using the TREX Admin tool More Information see IMG activity Information and Configuration Prerequisites (technical name: SOLMAN_TREX_INFO) 6.

Enter the following services: SAP_SUPPDESK_INTERFACE ABAP n n ICT_SERVICE_DESK_API* ICT_SERVICE_DESK_API_MQC* SAP Central Process Scheduling by Redwood 102/172 PUBLIC 03/30/2009 . maintain authorization field SRV_NAME in authorization object S_SERVICE.4 Authorizations Authorization Roles and Profiles for End Users Name Type Remarks SAP_QC_BY_HP_ADMIN ABAP Full authorization to configure. for instance SAP_SOL_RO_COMP Authorization for technical user Authorization for technical user QCALIAS for WSDL access SAP_QC_BY_HP_EXE ABAP SAP_QC_BY_HP_DISP SAP_QC_INTERFACE SAP_QC_WSDL_ACCESS ABAP ABAP ABAP SAP Quality Center by HP (Defect Management) Name Type Remarks Authorization for bi-directional interface and configuration. needs to be assigned additionally to the role for Implementation and Upgrade scenario. for instance SAP_SOL_PM_COMP Authorization to use the Requirements tab in transactionSOLAR01.6 6. for instance SAP_SUPPDESK_ADMIN Recommendation To restrict the services that can be accessed. needs to be assigned additionally to the role for Implementation and Upgrade scenario. for instance SAP_SOL_AC_COMP Display authorization. needs to be assigned in addition to the roles for the Service Desk scenario. send and receive data to/from Quality Center. needs to be assigned additionally to the role for Implementation and Upgrade scenario.

you must also assign role SAP_J2EE_ADMIN to your technical communication user in the SAP Solution Manager system. see sections on technical users in this guide n on SAP Quality Center by HP Integration Test Management. see the product guides. BMC AppSight for SAP Client Diagnostics Name SAP_APPSIGHT_INTERFACE Type ABAP Remarks Authorization for technical user in SAP Solution Manager system Integration For information on security issues for the individual third party products. This authorization allows you to create the user in the UME of the Java stack. More Information n on technical users in the Solution Manager system and managed systems.6 6. applied to technical communication user in Solution Manager system Authorization for the technical user between managed (target) system and SAP Central Process Scheduler SAP_BC_REDWOOD_COMM_EXT_SDL ABAP SAP_BC_REDWOOD_COMMUNICATION ABAP Caution If you have SAP Central Process Scheduler installed on your SAP Solution Manager Java stack.4 Authorizations Authorization Roles and Profiles for End Users Name SAP_SM_REDWOOD_COMMUNICATION Type ABAP Remarks General authorization for the technical communication user (for instance CPSCOMM) between Solution Manager and SAP Central Process Scheduler. see IMG activity: Information and Configuration Prerequisites for SAP Quality Center by HP (Test Management) (technical name: SOLMAN_QC_INFORMATIO) 03/30/2009 PUBLIC 103/172 . applied to technical user in SAP Solution Manager system Authorization for the technical user between SAP Solution Manager and SAP Central Process Scheduler for configuration of parameter SAP_EnableRfcServer on the process server.

sap.com/instguides Administration users (for instance DDIC) Technical users profile SAP_ALL profile SAP_ALL SAP Components SAP Solution Manager <current release> See section about technical users in managed systems 104/172 PUBLIC 03/30/2009 . Features To access and use the Automatic Technical Configuration application. see IMG activity: Information and Configuration Prerequisites for SAP Quality Center by HP (Defect Management) (technical name: SOLMAN_QC_SUPPDESK_I) n on SAP Central Process Scheduling by Redwood. see conguration guide for SAP Solution Manager in the Service Marketplace: http://service. This function can be performed in theSystem Landscape Management work center application Automatic Technical Configuration.5 Roles for Configuration of Business System Connections In SAP Solution Manager. you can connect your business systems in your system landscape. see IMG activity: Information and Configuration Prerequisites for SAP Central Process Scheduling (technical name: SOLMAN_REDWOOD_INFOR) n on BMC AppSight for SAP Client Diagnostics. you need the following roles for your end user: Automatic Technical Configuration in System Landscape Management work center Name SAP_SMSY_ALL SAP_BC_CTC Type ABAP ABAP Remarks To run the configuration between your business systems To call CTC See section Work Center Navigation work center navigation roles for System Landscape Management To perform the configuration. you need the following users and profile: Configuration of Business System Connection User Profile Remarks For more information.6 6. see IMG activity: Information and Configuration Prerequisites for BMC AppSight for SAP Client Diagnostics (technical name: SOLMAN_BMC_INFO) 6.5 Authorizations Roles for Configuration of Business System Connections n on SAP Quality Center by HP Integration Defect Management.

using the example of critical authorizations of transactions SU01 (User Management) and PFCG (Role Management). Create a Role in Transaction PFCG a) Choose transaction PFCG. Recommendation Perform at least the first step.1 How to Update Authorizations after Support Package Upgrade After the new installation and an update of your SAP Solution Manager system. Procedure 1. you must import new roles and profiles from client 000 into your productive client. Call transaction SU25. for instance: ZSU01_PFCG. This section describes how to create your own roles.2 How to Create End User Roles You need to grant authorizations for which SAP does not ship template roles. in transaction SU25.6. and choose Single Role. This is especially relevant for all new authorization objects delivered with an update. you need to update your tables with new default field values for authorization objects.6 6. The dialog explains in detail what you need to do.6 “How To” Guides 6. see SAP Solution Manager Configuration Guide: http://service.6. To be able to assign the correct authorization you can create a dedicated role for them.6 Authorizations “How To” Guides More Information about CTC and CTC configuration in SAP Solution Manager. 6. Caution When you update your system.com/instguides SAP Components SAP Solution Manager <current release>. 2. Choose Information. in the Solution Manager and managed systems. Features 1. 6. b) Enter a role name in your namespace.sap. 03/30/2009 PUBLIC 105/172 .

d) Generate the profile. e) Save your role. according to your needs.6. 106/172 PUBLIC 03/30/2009 . Caution All authorization objects need to have a green traffic light.6 Authorizations “How To” Guides c) Enter a description for your role. always choose all activities.6 6. 2. When you enter a transaction in the menu tab in your role. b) Choose Change. The system opens the documentation for this object in a separate window. Enter the user and choose edit. add your user in the table and perform the user comparison. The authorization objects required in role creation are maintained using transactions.3 How to Assign Roles to Users After you have generated profiles from roles. Maintain Authorization Objects Default authorization objects delivered by SAP contain only minimal authorizations. f) Save. Note You are asked for a transport request. the system traces all authorization objects required for this transaction. If you are not sure about the function of the authorization object. e) To assign this profile to a user. for instance if you want to grant full authorization. c) Maintain all activity values per authorization object. Procedure n Transaction SU01 1. 6. you must edit them a) Choose the Authorizations tab in the Role Maintenance. for instance: Full authorization d) Go to tab menu and enter transactions SU01 and PFCG. double-click the green line. 2. Choose transaction SU01. choose tab User. To grant full authorization to authorization objects. Note for SU01 and PFCG. assign the role to your users in one of the two ways explained below.

see SAP Note 1272331. Enter your role and choose edit. 5. Go to Roles tab.6 Authorizations “How To” Guides 3. 4. 5. Note For more information on User Comparison. Choose transaction PFCG. Choose the button User Comparison.6 6. 03/30/2009 PUBLIC 107/172 . Enter the user name. 6. Save. Save. Go to Users tab. 3. 2. 4. n Transaction PFCG 1. Enter your role.

This page is intentionally left blank. .

such as authorization for POWL (table control) and navigation. 7.7 Work Center Navigation Roles 7 Work Center Navigation Roles The following sections give you an overview of all work centers and work center related roles. you should activate automatic user comparison. links and authorization roles that should be assigned to users who perform the tasks. which contain a number of authorization objects for authorization purposes. They only need to be assigned to the user.2 Basic Authorizations for Work Centers Individual role SAP_SMWORK_BASIC contains all authorization objects for work centers. These menu entries are a two—folder hierarchy. You must also assign the authorization role SAP_SMWORK_BASIC. such as Service Marketplace or Help Portal. you must assign the according authorization roles for the scenarios/functions (for instance SAP_SUPPDESK_* and SAP_SUPPCF_*).1 Work Center Roles Concept Work center navigation roles (naming convention: SAP_SMWORK_<work center>) are based on the concept of authorization roles (transaction PFCG). The first level is the home page Web Dynpro application (WDA) of the work center (for instance Incident Management). In contrast to authorization roles. To be able to mark the check for automatic user comparison when savin a role. as well as assigning work center navigation roles and authorization roles. They display the menu hierarchy/entries in the SAP NetWeaver Business Client (NWBC). Note If you implement SAP Note 1272331. Constraints Work center navigation roles are always individual roles. In addition. Each end-user who works with work centers 03/30/2009 PUBLIC 109/172 . which contains all relevant work center—related authorizations to users. The second level consists of several related links. 7. edit the respective role and go to menu Utilities Settings . Each section contains a table with a mapping of work center views. work center navigation roles are only relevant for the navigation in the work center via menu entries. when saving a role.

Features Mapping Root Cause Analysis work center to authorization roles 110/172 PUBLIC 03/30/2009 . For more information. 7.7 7. This role must be fully maintained. Note Authorization object S_ICF is delivered inactive. Features The following authorization objects are relevant: n CA_POWL Authorizations for Personal Object Work List (POWL) n S_ICF (inactive) Authorization check for ICF services access. See SAPSUPPORT user.3 Work Center Navigation Roles My Home needs the role SAP_SMWORK_BASIC. see section Secure Service Logon. Constraints SAP_SMWORK_BASIC currently contains authorization objects that are relevant for all work centers. including profile generation and user comparison.3 My Home This work center allows you to display overview data of all work centers you are assigned to. as it may only be relevant for service provider functionality. the profile S_SMWC_BA is delivered for the SAPSUPPORT user when automatically assigning basic authorizations. It does not contain authorization objects that are required for individual work centers. Example If you use function PDF Print you need authorization object S_DEVELOP (activity: 03. Note For technical restrictions. object type OBJTYPE: SMIM) to be able to display icons in the document.

section to the end user Work Center Roles <work center>. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for Project Administration) Implementation and Upgrade (by business role. no authorization required URL Integration This work center displays overviews.4 Implementation and Upgrade Work Center Implementation and Upgrade work center (work center navigation role: SAP_SMWORK_IMPL) Features Mapping of Implementation and Upgrade work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Overview Project Implementation and Upgrade (by business role. 7. to the end user section Work Center Roles <work center>. work—related topics and reports of all work centers that are assigned to the user. according to work center assigned see work center view Overview.7 7. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual roles for: n Project Administration n Business Blueprint n Configuration Projects 03/30/2009 PUBLIC 111/172 . SAP Solution Manager Certification — link. It therefore integrates with these work centers. to the end user section Work Center Roles <work center>.4 Work Center Navigation Roles Implementation and Upgrade Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Overview Work Reports Related Links according to work center assigned see work center view Overview. according to work center assigned see work center view Reports.

for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for Project Administration) SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_* Access Solution Directory Plan Create or Maintain Projects Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for Business Blueprint) SAP_RMMAIN_DIS SAP_RMDEF_RMAUTH_* SAP_RMDEF_RMAUTH_* Define Business Blueprint Show Roadmaps Define New Roadmaps Add or Change Structure Elements Build Go to Technical Configuration Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (Business BlueprintSAP_SOLAR01_*) Go to Business Process Configuration Create Role-Specific Learning Map Implementation and Upgrade (by business role.no authorization Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for Project Administration) Implementation and Upgrade (by business role.Service Marketplace: no authorization check URL Access Business Process Repository Web Dynpro BPR . for example Project Manager or Technical Consultant) SAP_SOL_*_COMP 112/172 PUBLIC 03/30/2009 .7 7. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for configuration) Implementation and Upgrade (by business role.4 Work Center Navigation Roles Implementation and Upgrade Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Evaluate n Access Business Map n Download Solution Composer n Access SAP Best Practices Access Projects .

for example Project Manager or Technical Consultant) SAP_SOL_*_COMP. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP Maintain Central Test Workbench Settings Implementation and Upgrade (by business role.no authorization check SAP_SM_SOLUTION_* / SAP_OP_DSWP_EWA Reports Implementation and Upgrade (to business role. changing (define and maintain) of roadmaps SAP_RMDEF_RMAUTH_* SAP_ISSUE_MANAGEMENT_* SAP_SM_SOLUTION_* Issue Management / 03/30/2009 PUBLIC 113/172 . for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (Customizing Distribution) No authorization check Implementation and Upgrade (by business role.7 7.4 Work Center Navigation Roles Implementation and Upgrade Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) (especially individual role for E-Learning) Customizing Distribution (all links) Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP Common Tasks n Define Roadmap n Maintain Roadmap Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_TESTER_COMP Create Test Plan and Test Packages Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP SAP_SOLMAN_DIRECTORY_* Going Live Preparation Go to Solution Directory Going Live SAP EarlyWatch Alert Check URL . for example Project Manager or Technical Consultant) SAP_SOL_*_COMP BC-Sets (all links) Test Create Test Cases Access Test Work List Implementation and Upgrade by business role.

SAP_SM_SOLUTION_* Project Administration Copy Projects and Solutions Learning Maps Implementation and Upgrade (by business role.7 7. More Information see IMG activity: Setup Work Center for Implementation (technical name: SOLMAN_WC_IMPL) 7. see section Roles for Configuration) Implementation and Upgrade (by business role.5 Test Management Work Center Test Management work center (navigation role: SAP_SMWORK_ITEST) Features Mapping of Test Management work center onto authorization roles 114/172 PUBLIC 03/30/2009 . for instance Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for Project Administration) SAP_SOL_PROJ_ADMIN_*.5 Work Center Navigation Roles Test Management Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* Related Links System Landscape System Data Transfer transaction SMSY_SETUP (no dedicated role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (especially individual role for E-Learning) n n n SAP_CDMC_USER Custom Development Management Cockpit(CDMC) authorization to execute SAP_CDMC_MASTER authorization to create CDMC specific projects SAP_CDMC_STAT_SYSTEM Integration For the integrated use of roles. see section Integration of Functions.

especially Test Plan Management SAP_STWB_WORK_* Tester Worklist Test Evaluation Implementation and Upgrade (by business role. especially Test Plan Management SAP_STWB_INFO_* 03/30/2009 PUBLIC 115/172 .5 Work Center Navigation Roles Test Management Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Overview Test Preparation All Links See row in this table Projects: Evaluate Transactions and Implementation and Upgrade (by TBOM business role. for example Project Manager or Technical Consultant SAP_SOL_*_COMP ). for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (Project Evaluation SAP_SOL_PROJ_ADMIN_*) and SAP_SM_BPCA_TBOM_* Solutions: Evaluate Transactions Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant SAP_SOL_*_COMP ). for example Project Manager or Technical Consultant) SAP_SOL_*_COMP ) and SAP_SM_BPCA_RES_* Test Plan Management Implementation and Upgrade (by business role. especially Test Plan Management SAP_STWB_2_* Implementation and Upgrade (by business role. for example Project Manager or Technical Consultant) SAP_SOL_*_COMP (Project Evaluation SAP_SOL_PROJ_ADMIN_*) and SAP_SM_SOLUTION_* SAP_SOLMAN_DIRECTORY_* Solution Directory BP Change Analyzer Implementation and Upgrade (according to business role.7 7. for example Project Manager or Technical Consultant SAP_SOL_*_COMP ).

SAP_SM_SOLUTION_* SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* SAP_SM_SCHEDULER_*. SAP_SM_SOLUTION_* see section Work Center System Administration. view Overview SAP_SM_SCHEDULER_*. SAP_SM_SOLUTION_* Overview Job Request Job Monitoring Job Documentation Task Inbox Reporting SAP_SM_SCHEDULER_*.7 7. for example Project Manager or Technical Consultant SAP_SOL_*_COMP) and n SAP_SM_BI_EXTRACTOR n SAP_BI_TWB More Information see IMG activity: Setup Test Management Work Center (technical name: SOLMAN_WC_TEST) 7. SAP_SM_SOLUTION_* 116/172 PUBLIC 03/30/2009 .6 Job Management Work Center Job Management work center (work center navigation role: SAP_SMWORK_JOB_MAN) Features Mapping of Job Management work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SM_SCHEDULER_*.6 Work Center Navigation Roles Job Management Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Settings (Setup) Reports See section Roles for Configuration Implementation and Upgrade (by business role.

SAP_SM_SOLUTION_* Related Links Job Scheduling Template roles for all additional transactions are not delivered with software component ST. SAP_SM_SOLUTION_* Common Tasks Create Job Request Create Job Documentation Access Template Analyze Job Schedule Jobs Import Jobs SAP_SM_SCHEDULER_*. roles must be created individually. SAP_SM_SOLUTION_* SAP_SM_SCHEDULER_*. SAP_SM_SOLUTION_* SAP_SM_SCHEDULER_*. SAP_SM_SOLUTION_* SAP_SM_SCHEDULER_*. roles must be created individually. SAP_SM_SOLUTION_* SAP_SM_SCHEDULER_*. Template roles for transaction CALL_CPS is not delivered with software component ST. URL — no authorization check Process Scheduling Adapter: Call CPS Scheduler Process Scheduling Adapter: Transaction EXTSLD Process Scheduling Adapter: SAP Central Process Scheduling by Redwood Integration This work center integrates with the following work centers: n Incident Management: SAP_SMWORK_INCIDENT_MAN n Change Management: SAP_SMWORK_CHANGE_MAN n Business Process Operations: SAP_SMWORK_BPM Recommendation We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP). Template roles for transaction EXTSLD is not delivered with software component ST.6 Work Center Navigation Roles Job Management Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SM_SCHEDULER_*.7 7. roles must be created individually. see section: How to Create Work Center Composite Roles. 03/30/2009 PUBLIC 117/172 .

no authorization check Integration This work center integrates with the following work centers: n Job Management: SAP_SMWORK_JOB_MAN n Change Management: SAP_SMWORK_CHANGE_MAN n Business Process Operations: SAP_SMWORK_BPM Recommendation We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP).7 7. SAP_SUPPCF_* Provider) Queries Reports Common Tasks New messages Search for SAP Note SAP_SUPPDESK_*. SAP_SUPPCF_* Overview Messages (and for Service Provider) (and for of Service SAP_SUPPDESK_*.7 Work Center Navigation Roles Incident Management Work Center More Information see IMG activity: Setup Work Center for Job Management (technical name: SOLMAN_WC_JSCHED) 7. SAP_SUPPCF_* URL . see IMG activity: Create Work Center for Incident Management (Service Desk) (technical name: SOLMAN_SUPPDESK_WCS) n on work center for Service Desk for Service Provider. More Information n on work center for Service Desk (standard). see IMG activity: Create Work Center for Incident Management (Service Provider) (technical name: SOLMAN_VAR_WC) 118/172 PUBLIC 03/30/2009 . see section: How to Create Work Center Composite Roles. SAP_SUPPCF_* (and for Service Provider) (and for Service Provider) SAP_SUPPDESK_*.7 Incident Management Work Center Incident Management work center (work center navigation role: SAP_SMWORK_INCIDENT_MAN) Mapping Incident Management work center onto authorization roles View in Work Center Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SUPPDESK_*.

03/30/2009 PUBLIC 119/172 .7 7. Configuration Validation: Reporting SAP_SM_BI_EXTRACTOR Recommendation For more information see section Roles for BI—Related Reporting.8 Work Center Navigation Roles Change Management Work Center 7.8 Change Management Work Center Change Management work center (work center navigation role: SAP_SMWORK_CHANGE_MAN) Features Mapping of Change Management work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* / SAP_CM_*_COMP / SAP_SM_QGM_* Overview Projects Change Requests Change Documents Hot News Maintenance Optimizer License Management SAP_SM_QGM_* SAP_CM_*_COMP SAP_CM_*_COMP SAP_SM_SOLUTION_* SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* Authorization field S_ADMI_FCD in authorization object S_ADMI_FCD must contain value SLIC Queries Reports Common Tasks New Change Request New Maintenance Transaction Related Links Schedule Manager Configuration Validation: Maintenance SAP_SOL_REP_*/ SAP_SM_SOLUTION_* SAP_CM_*_COMP SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* SAP_CM_*_COMP SAP_SM_BI_EXTRACTOR Recommendation For more information see section Roles for BI—Related Reporting.

you need to maintain this authorization object. see section: How to Create Work Center Composite Roles.9 Business Process Operations Work Center Business Process Operations work center (work center navigation role: SAP_SMWORK_BPM) Features Mapping of Business Process Operations work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* Overview Solution all Note Role SAP_OP_DSWP_BPM contains authorization object SM_BPM_AUT with full authorization for operations categories: n Business Process Monitoring (BPM) n Data Consistency Management (DCM) n Data Volume Management (DVM) If you want to restrict authorization.7 7.9 Work Center Navigation Roles Business Process Operations Work Center Integration This work center integrates with the following work centers: n Incident Management: SAP_SMWORK_INCIDENT_MAN n Job Management: SAP_SMWORK_JOB_MAN n Business Process Operations: SAP_SMWORK_BPM Recommendation We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP). More Information see IMG activity: Setup Work Center for Change Management (technical name: SOLMAN_WC_CHARM) 7. Business Processes Alert Inbox SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* 120/172 PUBLIC 03/30/2009 .

you need to assign role SAP_SUPPDESK_CREATE (and SAP_SUPPCF_CREATE for service provider) to your user. Reports Common Tasks Solution Directory Setup Business Process Monitoring Related Links SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_* SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_* Solution Manager SAP_SV_SOLUTION_MANAGER (full authorization for Operations and Operation Operations Setup) transaction SOLUTION_MANAGER Note If you want to create Service Desk messages. Integration This work center integrates with the following work centers: n Incident Management: SAP_SMWORK_INCIDENT_MAN n Change Management: SAP_SMWORK_CHANGE_MAN n Job Management: SAP_SMWORK_JOB_MAN 03/30/2009 PUBLIC 121/172 .9 Work Center Navigation Roles Business Process Operations Work Center Data Consistency Management SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* Note Role SAP_OP_DSWP_BPM contains authorization object SM_BPM_AUT with full authorization for operations categories: n Business Process Monitoring (BPM) n Data Consistency Management (DCM) n Data Volume Management (DVM) If you want to restrict authorization. Data Volume Management SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_* Note Role SAP_OP_DSWP_BPM contains authorization object SM_BPM_AUT with full authorization for operations categories: n Business Process Monitoring (BPM) n Data Consistency Management (DCM) n Data Volume Management (DVM) If you want to restrict authorization. you need to maintain this authorization object. see section Roles for Service Desk.7 7. you need to maintain this authorization object.

10 SAP Engagement and Service Delivery Work Center Recommendation We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP). More Information see IMG activity: Setup Work Center for Business Process Operations (technical name: SOLMAN_WC_BPM) 7. see section: How to Create Work Center Composite Roles.10 SAP Engagement and Service Delivery Work Center SAP Engagement and Service Delivery work center (work center navigation role: SAP_SMWORK_SERVICE_DEV) Features Mapping of SAP Engagement and Service Delivery work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SV_SOLUTION_MANAGER / SAP_SM_SOLUTION_* / SAP_ISSUE_MANAGEMENT_* Overview Solutions SAP_SM_SOLUTION_* / SAP_OP_DSWP_BPM / SAP_ISSUE_MANAGEMENT_* Business Processes SAP_SM_SOLUTION_* / SAP_OP_DSWP_BPM / SAP_ISSUE_MANAGEMENT_* SAP Delivered Services Self Services Top Issues Issues Tasks EarlyWatch Alert Reports SAP_SV_SOLUTION_MANAGER / SAP_SM_SOLUTION_* SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_* SAP_SM_SOLUTION_* / SAP_OP_DSWP_EWA SAP_SOL_REP_* / SAP_SM_SOLUTION_* 122/172 PUBLIC 03/30/2009 .7 Work Center Navigation Roles 7.

You can grant or restrict authorization for updating SAP Services.7 7. Not Pre-configured Tasks Recurring Pre-configured Tasks (CSA): SAP_OP_DSWP_CSA Roles depend on the nature of the tasks 03/30/2009 PUBLIC 123/172 . table entries or coding could be added or activated in your system.11 Work Center Navigation Roles System Administration Work Center Common Tasks Maintain System Data Maintain Solution Data Maintain Project Blueprint Maintain Project Configuration Display Roadmap Schedule Content Update SAP_SMSY_* SAP_SM_SOLUTION_* / SAP_SOLMAN_DIRECTORY_* SAP_SOL_*_COMP SAP_SOLAR01_*) SAP_SOL_*_COMP SAP_SOLAR02_*) SAP_RMMAIN_DIS SAP_SV_SOLUTION_MANAGER / SAP_SM_SOLUTION_* (especially (especially Related Links Solution Manager Operations (full authorization for Operations and Operations Setup) SAP_SV_SOLUTION_MANAGER SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_* Issue Management Note When you update an SAP Service. with authorization object SM_CNT_UPD.11 System Administration Work Center System Administration work center (navigation role:SAP_SMWORK_SYS_ADMIN) Features Mapping of System Administration work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) Overview Task Management Ad-hoc. More Information see IMG activity: Setup Work Center for SAP Engagement and Service Delivery (technical name: SOLMAN_WC_ISSUE) 7.

Administration Tools Template roles for non-specific Solution Manager transactions (functions) can be found in the documentation for these functions. The MDM Admin Cockpit automatically appears in your tool list. SU10 or SUIM are not delivered with software component ST. Roles must be created individually.11 Work Center Navigation Roles System Administration Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* My Downtime Management Tasks Note Start/stop of instances is managed by either: n Adaptive Computing (ACC): uses UME of attached SAP NetWeaver Administrator n SAPControl: uses logon dialog for identification Job Scheduling Management Tasks Issue and Top Issue Management Tasks Systems Task Management Setup CSA User Management SAP_SM_SCHEDULER_* / SAP_SM_SOLUTION_* SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_* SAP_SMSY_* See roles for relevant tasks. in table row Task Management SAP_SETUP_DSWP_CSA Template roles for authorizations for transactions SU01. role SAP_BC_USER_ADMIN can be used. PFCG. see section Roles for Master Data Management. Alternatively. Example You operate a Master Data Management (MDM) system in your system landscape.7 7. Caution Role contains full user administration authorization. above. 124/172 PUBLIC 03/30/2009 . see section How to Create Roles.

More Information See IMG activity: Setup Work Center for System Administration (technical name: SOLMAN_WCS_CSA) 7. Recommendation Use the template composite role for system aAdministrators (SAP_SMWORK_ADMINISTRATOR_COMP). see section: How to Create Work Center Composite Roles.12 System Monitoring Work Center System Monitoring work center (navigation role: SAP_SMWORK_SYS_MON) Features Mapping of System Monitoring work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* / SAP_SM_SOLUTION_* Overview Systems / Solutions 03/30/2009 PUBLIC 125/172 . Refer to the documentation for Adaptive Computing. SAP_SMSY_* / SAP_SM_SOLUTION_* Adaptive Computing Manage System Favorites Integration This work center integrates with Work Center System Landscape Management.12 System Monitoring Work Center Related Links DBA Cockpit Landscape Printing Assistant License Management SAP_BC_DB_ADMIN Template role for authorizations for transaction PAL is not delivered with software component ST. Role must be created individually. Authorization field S_ADMI_FCD in authorization object S_ADMI_FCD must contain value SLIC. For the integrated use of roles.7 Work Center Navigation Roles 7. see section Integration of Functions.

The role must be created individually. for more information see section Roles for Service Desk. you need roles SAP_BW_CCMS_REPORTING and SAP_SM_BI_EXTRACTOR. Connectivity Monitoring RFC Destinations Template role for authorization for transaction SM59 is not delivered with software component ST. If you use an external BI system. Alert Inbox System Alerts Create Messages Proactive Monitoring System / Solutions Nonspecific Solution Manager Transactions IT Performance Reporting SAP_OP_DSWP_SM / SAP_SM_SOLUTION_* SAP_SUPP*. If you use an external BI system. SAP_SM_BI_EXTRACTOR Note If your BI client is not the Solution Manager client. Alternatively. SAP_SM_BI_EXTRACTOR System Status Systems / Solution IT Performance Reporting Note If your BI client is not the Solution Manager client.12 System Monitoring Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* / SAP_SM_SOLUTION_* SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*. Job Monitoring Self Diagnosis Job Scheduling SAP_SM_SCHEDULER_* SAP_SM_SOLUTION_* 126/172 PUBLIC 03/30/2009 . role SAP_BC_USER_ADMIN can be used SAP_SMSY_* Caution Role contains full user administration authorization. and upload it to your BI system in transaction PFCG Roles Upload/Download . SAP_SMSY_* / SAP_SM_SOLUTION_* Template roles for non-specific Solution Manager transactions (functions) are in the documentation of these functions. you must download role SAP_SM_BI_EXTRACTOR from the Solution Manager system to your PC. and upload it to your BI system in transaction PFCG Roles Upload/Download . you must download role SAP_SM_BI_EXTRACTOR from the Solution Manager system to your PC. you need roles SAP_BW_CCMS_REPORTING and SAP_SM_BI_EXTRACTOR.7 Work Center Navigation Roles 7. SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*.

no authorization check URL 03/30/2009 PUBLIC 127/172 .7 Work Center Navigation Roles 7. Recommendation For more information see. you must download role SAP_SM_BI_EXTRACTOR from the Solution Manager system to your PC. and upload it to your BI system in transaction PFCG Roles Upload/Download .no authorization check .12 System Monitoring Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_* Reports Report Views: SAP EarlyWatch Alert Reporting Report View: Service Level Reporting Report View: Availability Reporting SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_* SAP_SOL_REP_* / SAP_SM_SOLUTION_* Setup System Monitoring Service Level Reporting EarlyWatch Alert Connectivity Monitoring IT Performance Reporting SAP_SETUP_DSWP_* / SAP_SM_SOLUTION_* SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA Transaction: check) SOLUTION_MANAGER (no authorization SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM / SAP_SM_BI_EXTRACTOR Note If your BI client is not the Solution Manager client you need the following roles: n SAP_BW_CCMS_SETUP n SAP_PI_CCMS_SETUP n SAP_SM_BI_EXTRACTOR If you use an external BI system. section Roles for BI—Related Reporting Solutions Related Links Adaptive Computing Managed System Favorites Wily Introscope SAP_SM_SOLUTION_* SAP_SMSY_* URL .

More Information see IMG activity: Setup for System Monitoring Work Center (technical name: SOLMAN_WC_SYS) 7. Recommendation Use the template composite role for System Administrators SAP_SMWORK_ADMINISTRATOR_COMP). See section: How to Create Work Center Composite Roles. SAP_SM_SOLUTION_DIS Overview System Management Downtime Management Transport Management System Management Downtime Management Transport Management See under view Overview See under view Overview See under view Overview 128/172 PUBLIC 03/30/2009 .7 Work Center Navigation Roles 7.13 System Landscape Management Work Center Note You can set connection parameters for Adaptive Computing and Wily Introscope.13 System Landscape Management Work Center System Landscape Management work center (navigation role: SAP_SMWORK_LANDSCAPE_MAN) Features Mapping of System Landscape Management work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* SAP_SM_DTM_*. see IMG activities: n Connect Wily Introscope (technical name: SOLMAN_WILY_SERVER) n Connect Adaptive Computing (technical name: SOLMAN_ACC_INTEG) Integration This work center integrates with System Landscape Management work center.

SAP_BC_CTC Refer to the documentation for Adaptive Computing SAP_SMSY_*. SAP_SM_SOLUTION_* see IMG activity: Setup Work Center for Landscape Maintenance (technical name: SOLMAN_SMSY_WC) 7. eparately. SAP_SMSY_* SAP_SMSY_ALL.14 Root Cause Analysis Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* SAP_SMSY_* SAP_SERVICE_CONNECT Related Links System Landscape System Data Transfer Service Connection Switch Framework Cockpit Authorization objects: n S_SWITCH n S_RFC with function group SFW_API_REMOTE Note You have to assign these authorization objects with the values.7 Work Center Navigation Roles 7. SAP Reference Landscape Project Generation Automated Technical Configuration Adaptive Computing Manage System Favorites More Information No authorization check SAP_SOL_PROJ_ADMIN_*.14 Root Cause Analysis Work Center Root Cause Analysis work center (work center navigation role: SAP_SMWORK_DIAG) Features Mapping Root Cause Analysis work center onto authorization roles 03/30/2009 PUBLIC 129/172 .

7 Work Center Navigation Roles 7.15 Solution Documentation Assistant Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_RCA_*. SAP_SOL_*_COMP (esp.: SAP_SOL_PROJ_ADMIN_ALL) Related Links Business Process Repository Project Administration Business Blueprint Solutions Solution Manager System Landscape no authorization check SAP_SOL_PROJ_ADMIN_* SAP_SOLAR01_* SAP_SOLMAN_DIRECTORY_* SAP_SMSY_* Integration Solution Documentation Assistant integrates with function Business Blueprint (transaction SOLAR01). SAP_SOL_*_COMP (esp.: SAP_SOL_PROJ_ADMIN_ALL) Overview Analysis Projects Analyses Rule Database Content Interface Common Tasks all SAP_SDA_ALL all SAP_SDA_*. All see section Roles for Root Cause Analysis More Information see IMG activity: Setup Work Center for Root Cause Analysis (technical name: SOLMAN_WC_RCA) 7. 130/172 PUBLIC 03/30/2009 .15 Solution Documentation Assistant Work Center Solution Documentation Assistant work center (work center navigation role: SAP_SMWORK_SDA) Features Mapping of Solution Documentation Assistant work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SDA_*.

7 Work Center Navigation Roles 7. role must be created individually.16 Solution Manager Administration Work Center Solution Manager Administration work center (navigation role: SAP_SMWORK_SETUP) Features Mapping of Solution Manager Administration work center onto authorization roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SM_SOLUTION_* SAP_SOL_PROJ_ADMIN_* SAP_SM_SOLUTION_* SAP_SERVICE_CONNECT SAP_SOLUTION_TRANSFER SAP_SOLMAN_DIRECTORY_* SAP_SETUP_DSWP_EWA/ SAP_SM_SOLUTION_* SAP_SOL_PROJ_ADMIN_* SAP_SMSY_*/ SAP_SM_SOLUTION_* SAP_SOL_PM_COMP Overview Solutions Solutions Projects Solutions (Create) Service Connection Solution Transfer Global Solution Settings Operations Setup (EarlyWatch Alert) Projects Projects Associated systems and solutions Compare and Adjust Start Template Collector Reset User Settings (especially SAP_SOL_PROJ_ADMIN_ALL) SAP_SOL_PM_COMP Template role for authorizations for SU01 is not delivered with software component ST. (especially Refresh Search Index Maintain Project Templates Export and Import SAP_SOL_*_COMP SAP_SOL_PROJ_ADMIN_*) SAP_SOLAR_MIGRATION 03/30/2009 PUBLIC 131/172 .16 Solution Manager Administration Work Center More Information see IMG activity: Setup Work Center for Solution Documentation Assistant (technical name: SOLMAN_WC_SDA) 7.

Specific Administration Setup System Administration Service Level Reporting System Monitoring EarlyWatch Alert Connectivity Monitoring IT Performance Reporting Landscape Maintenance Common Tasks Related Links RFC SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_CSA SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA Transaction: SOLUTION_MANAGER (no authorization check) SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM SAP_SMSY_* Connection Error See section Roles for Configuration See section Roles for Configuration SAP_SM_SOLUTION_* Reference Implementation Guide (SPRO) Automated Basic Configuration Self Diagnosis 132/172 PUBLIC 03/30/2009 .16 Solution Manager Administration Work Center View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SMSY_* SAP_SOLMAN_DIRECTORY_*/ SAP_SM_SOLUTION_* Systems System Landscape Setup System Landscape Maintenance RFC Destinations Template role for authorization for transaction SM59 is not delivered with software component ST. BPor AISUSER are not delivered with Software Component ST.7 Work Center Navigation Roles 7. role must be created individually. Alternatively. roles must be created individually. PFCG. role SAP_BC_USER_ADMIN can be used Caution Users This role contains full administration authorization. Template roles for authorization for transactionsSU01.

Your system administrator maintains your system landscape and ensures the smooth running of all its systems. and compare users. The procedure is similar to creating single roles. Create a composite role in transaction PFCG. For instance. 03/30/2009 PUBLIC 133/172 . Assign the following authorization role for work centers: SAP_SMWORK_BASIC. according to the mapping tables. Maintain the authorization roles and generate the profiles.7 Work Center Navigation Roles 7. you need to delete the SAP template single role SAP_SMWORK_LANDSCAPE_MAN included in the composite role and assign you adapted ZSAP_SMWORK_LANDSCAPE role individually to the user. if you want to adapt links in Work Center System Landscape Management of composite role SAP_SMWORK_ADMINISTRATOR_COMP. see section How to Create Roles for End Users. 4. you need to maintain them as single roles NOT included in the composite role. Assign the following authorization roles: n System Landscape Maintenance: SAP_SMSY_ALL n Solutions: SAP_SM_SOLUTION_ALL n System Monitoring Setup: SAP_SETUP_DSWP_SM n System Administration Setup: SAP_SETUP_DSWP_CSA n System Monitoring Operations: SAP_OP_DSWP_SM n System Administration Operations: SAP_OP_DSWP_CSA n Service Connection: SAP_SERVICE_CONNECT 5. using the example of the composite role for administrators.17 How to Create Work Center Composite Roles 7. Assign the following work centers in Roles tab: n System Landscape Management (work center navigation role: SAP_SMWORK_LANDSCAPE_MAN) n System Monitoring (work center navigation role: SAP_SMWORK_SYS_MON) n System Administration (work center navigation role: SAP_SMWORK_SYS_ADMIN) n Home (work center navigation role: SAP_SMWORK_MYHOME) 3. You want your system administrator to use Solution Manager work centers. 2. copy them.17 How to Create Work Center Composite Roles SAP delivers two composite roles for this work center: n n SAP_SMWORK_ADMINISTRATOR_COMP SAP_SMWORK_JOBMAN_COMP This section describes how you can create a composite role for work centers. You need to grant work center navigation roles and authorizations roles with full authorization. Note If you use the existing roles. Procedure 1. maintain all single authorization roles. Caution If you want to adapt Work Center single roles of the SAP template composite roles.

17 How to Create Work Center Composite Roles 6. More Information on work centers in general.sap. Result You have created a composite role for your system administrator. see IMG activity: Information and Configuration Prerequisites for Work Center (technical name: SOLMAN_WCS_INFORMATI) 134/172 PUBLIC 03/30/2009 . Figure 2: Individual Roles for Composite Role SAP_SMWORK_ADMINISTRATOR_COMP Note All necessary roles are included. Caution If you use SAP NetWeaver Business Client.7 Work Center Navigation Roles 7. Only roles for transactions that are delivered with Solution Manager (Software Component: ST) are included. authorization objects maintained.com/instguides SAP Components SAP Solution Manager <current release> . see section How to Configure SAP NetWeaver Business Client in the configuration guide for SAP Solution Manager in the Service Marketplace: http://service. do not populate or merge the menu. Assign the composite role to your system administrator and compare users. profiles generated. as the work centers cannot be displayed accurately in the SAP NWBC. and users compared.

and background jobs (see section Background Jobs).2 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) End users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP Support Portal contact to SAP Solution Manager. For security reasons it should have no authorizations since it could be misused for direct logon.3 S-User Authorization for Service Desk and Expert on Demand Your S-user needs the following authorizations for SAP Support Portal functions. We distinguish between two uses of S—users: n for RFC destinations: This S-user requires a password and has to be assigned to your customer number. n for dedicated functions (requires authorizations): See the following sections.1 S-User Concept The S-user is needed to access SAP—internal systems via RFC destinations such as SAP-OSS and SAP-OSS-LIST-O01 (see section Communication Destinations). More Information see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM) 8. (Authorized) S-users are needed to open the gate and trigger dedicated functions at SAP. without the initial S. This contact corresponds to the S-user in the SAP Support Portal.8 S-User Authorizations 8 S-User Authorizations 8. 8. Features S-User Authorization for Service Desk and Expert on Demand 03/30/2009 PUBLIC 135/172 . You maintain the contact in table AISUSER (transaction AISUSER).

for the Service Connection function.4 S-User Authorization for Service Connection Your S-user needs the following authorizations in the SAP Support Portal. Features S-User Authorization for Service Connection Activity Authorization SVER: SVER: Open service connections Set-up/migrate a service connection SAP notes search Open Service Connection Open Service Connection Maintain System Data Search for notes INSTPROD: NOTES: 8.4 S-User Authorizations S-User Authorization for Service Connection Activity Authorization ANLEG: GOSAP: WAUFN: Create message Send messages Confirm messages Display/change secure area Create SAP message Send to SAP Reopen SAP message Confirm SAP message Display secure area Change secure area QUITT: PWDISP: PWCHGE: 8. Features S-user Authorization for Maintenance Optimizer Activity Authorization SWCATALOG Order Software in Software Catalog Execute Maintenance Optimizer 136/172 PUBLIC 03/30/2009 .5 S-User Authorization for Maintenance Optimizer Your S-user needs the following authorization in the SAP Support Portal. for the Maintenance Optimizer function.8 8.

6 S-User Authorization for Data Download from SAP Your S-user needs the following authorizations for the SAP Support Portal functions. S-user Authorization Download Data from SAP Activity Authorization ADMIN GLOBAL USER INSTPROD LICKEY Administration Maintain all logon data Maintain user data Maintain system data Request license key 03/30/2009 PUBLIC 137/172 .6 S-User Authorizations S-User Authorization for Data Download from SAP 8.8 8.

.This page is intentionally left blank.

9. and work centers for service provider customers.Service tomer—spe. no authorization needed). see section S-User Authorizations You automatically create customer RFCs based on RFC SAP-OSS via report More Information see IMG activity Setup SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO) 9. You need an S user without specific authorizations. Roles for Service Desk and Service Provider are additive. including service provider—specific authorizations. that is. if your Solution Manager system is configured 03/30/2009 PUBLIC 139/172 .Provider cic. Features Service Provider Customer RFC Connections from Solution Manager to SAP System LoNum. you need to create specific Prerequisites RFC connections to SAP for your customers.2 Roles for Service Desk for Service Provider The function Service Desk for Service Provider extends the Service Desk functionality.gon Logon User ber Client (Password) RFC Destination Name SM_SP_<customer number> Target Host Name Use (Scenario) Remarks /H/SAPROUTER/S//sapserv/H/oss001 01 001 S-User (Cus.1 Service Provider Customer RFC Connections As a service provider.9 Service Provider and Service Provider Customer Specification 9 Service Provider and Service Provider Customer Specification This section gives an overview of topics for service providers.

Features You need the role SAP_SM_SPC. you need a complete view of all data for the specified scenarios. while your customers should be able to display all data that is necessary for their specific business.3 Service Provider and Service Provider Customer Specification Service Provider—Specific Authorization for the Service Provider.3 Service Provider—Specific Authorization As a service provider. n for Service Provider. you must grant your end users roles for Service Desk and Service Desk for Service Provider. Authorization object CRM_TXT_ID needs to be granted. 9. Features Additional Service Desk Roles for Service Provider and Software Partner Caution For Service Provider. you must maintain the Service Desk roles as described in SAP Note 834534. More Information see IMG activity Assign Service Provider Authorization (technical name: SOLMAN_SPC_AUTH). see IMG activity Information and Configuration Prerequisites for Service Provider (technical name: SOLMAN_SERVICEDESKINFO). 140/172 PUBLIC 03/30/2009 . Name SAP_SUPPCF_ADMIN Type ABAP Remarks Administrator authorization for creating and processing Key user (IT operator) authorization to create messages Support employee authorization to process messages Display authorization SAP_SUPPCF_CREATE ABAP SAP_SUPPCF_PROCESS ABAP SAP_SUPPCF_DISP ABAP More Information n for Service Desk.9 9. as well as Service Desk authorization objects. See section Roles for Service Desk. and add Service Desk roles for Service Provider. see IMG activity Information and Configuration Prerequisites for Service Desk (technical name: SOLMAN_SD_INFORMATIO).

no authorization check SAP_SUPPDESK_* / SAP_SUPPCF_* Mapping of Work Center System Monitoring to Authorization Roles 03/30/2009 PUBLIC 141/172 . Functions that can be executed with these work centers by customers of Service Providers are: n Service Desk (Incident Management) (technical role name: SAP_SMWORK_INCIDENT_MAN_SPC) create and change own messages. open service connections n Change Management (technical role name: SAP_SMWORK_CHANGE_MAN_SPC) process maintenance optimizer transactions n System Monitoring (technical role name: SAP_SMWORK_SYS_MON_SPC) display SAP EarlyWatch Alert reports and Service Level reports Features Mapping of Work Center Change Management to Authorization Roles View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* Overview Hot News Maintenance Optimizer License Management SAP_SM_SOLUTION_* SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* Authorization field S_ADMI_FCD in authorization object S_ADMI_FCD must contain value SLIC New Maintenance Transaction SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* Common Task Mapping Work Center Incident Management to Authorization Roles View in Work Center Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_SUPPDESK_* / SAP_SUPPCF_* SAP_SUPPDESK_* / SAP_SUPPCF_* Overview Messages Common Tasks Search for SAP Note New messages URL .9 9.4 Service Provider and Service Provider Customer Specification Work Center for Service Provider Customers 9.4 Work Center for Service Provider Customers The following work centers are available especially for customers of Service Providers.

Features S-User Authorization for Service Provider Customer Activity Authorization INSTPROD Maintain System Data Note The assigned s user needs no authorization for the customer—specific RFC connections (RFC default name: SM_SP_<Customer Number>). 142/172 PUBLIC 03/30/2009 . You route the request directly from your proxy server to the Solution Manager server.6 Work Center Access for Customers To grant access to Solution Manager work centers via HTTP. Your customer should install a proxy server that is enabled for cascading.9 9. an HTTP request from a customer server must be accepted by the Solution Manager server. you need roles SAP_BW_CCMS_REPORTING and SAP_SM_BI_EXTRACTOR.5 S-User Authorization for Service Provider Customers The S user of service provider customers needs the following authorizations in the SAP Support Portal. This proxy should cascade requests from the customer to a proxy server on your side.5 Service Provider and Service Provider Customer Specification S-User Authorization for Service Provider Customers View Link Mapping of Authorization Roles (see Roles for <scenario/function>) SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_* SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*. SAP_SM_BI_EXTRACTOR Reporting Report View: SAP Early Watch Alert Report View: SAP EarlyWatch Alert for Solutions Note If your BI client is not the Solution Manager client. Report View: Service Level Reporting SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_* 9. 9.

9 9. 03/30/2009 PUBLIC 143/172 .6 Service Provider and Service Provider Customer Specification Work Center Access for Customers Integration If you want to restrict customer access to certain services. see SAP Note 1281504 and SAP — Partner—Specific Configuration in the IMG (transaction SPRO) .

This page is intentionally left blank. .

RMIGRATE_LANG_DEP_SAPSCRIPT SM:CLEAR ARCHIVED DATA/ RDARCH_CLEAN_DATABASE SM:DYNAMIC TABU UPDATE/ RDMD_DYNAMIC_TABU_UPDATE MIGRATE_LANG_DEP_SAPSCRIPT 03/30/2009 PUBLIC 145/172 . whether a service connection is planned to be opened The job gets system data for the Solution Manager system landscape by automatic data transfer from TMS/RFC or the System Landscape Directory (SLD) (DSWPJOB -> inactive) (DSWPJOB inactive) (DSWPJOB -> inactive) Updates the table contents required to operate the Solution Manager (DSWPJOB) -> SEND_SYSTEM_RELATIONSHIP_TO_SUPP/Periodically AI_SC_SEND_SYSTEM_RELATIONSHIP SAP-OSS SERVICE_CONNECTION_LISTENER/ AI_SC_LISTENER SAP-OSS LANDSCAPE FETCH/ RSGET_SMSY Default: TMS/RFC SM:SYNC CONTENT FROM SAP/ RDSWPBACKGROUNDSERVICES_1 SM:MIGRATE_LANG_DEP_SAPSCRIPT/ MIGRATE_LANG_DEP_SAPSCRIPT. 10.10 Background Processes 10 Background Processes This section gives an overview of background processes for each function. Features Background Jobs for Infrastructure Background Job/Program. Report Use REFRESH_ADMIN_DATA_FROM_SUPPORT/ AI_SC_REFRESH_READ_ONLY_DATA RFC Connection SAP-OSS Periodically reads administrative data from SAP Support Portal (System data synchronization in SMSY) sends information about which systems are managed by Solution Manager Periodically checks in Solution Manager.1 Background Jobs for Infrastructure Background jobs for Infrastructure.

Update of product data download from SAP Support Portal SAP-OSS SM:SELFDIAGNOSIS/ RDSWP_SELF_DIAGNOSIS SM:MIGRATE SESS DL.10 Background Processes 10. To be run hourly or daily (between 10 pm and 4 am). The job executes RFCPING or RFC_PING. Report Use SM:DMD CONSISTENCY/ RDMD_INCONSISTENCIES RDMD_INCONSISTENCIES/ RDMD_MIGRATE_OBJS_2_LANG_INDEP SM:REMOVE INCONSISTENCIES/ RDMD_REMOVE_INCON SM:REORG APPLICATION LOG/ RDMD_REORG_APPLICATION_LOG SM:REFRESH ENTRYSCREEN/ RDSMOPSOLUTIONLISTUPDATE RFC Connection Checks the consistency of a solution data model (DSWPJOB) (DSWPJOB) Remove inconsistencies in the data model (DSWPJOP) Reorganize Application Log (DSWPJOB) Update solution list: the status of every solution is determined for the overview list of all solutions (the access screen in transaction SOLUTION_MANAGER) (DSWPJOB) SM:SERVICE ASSISTANT EVENTS/ RDSVAS_EXECUTE_EVENTS SM:HOURLY SERVICES/ RDSWPBACKGROUNDSERVICES_3 SM:UPDATE RULES/ RDSWPRULESUPDATE (DSWPJOB -> inactive) (DSWPJOB -> inactive) A set of rules which controls the services and documents that can be offered for information about system infrastructure and processes maintained in the Solution Manager (DSWPJOB) Update Self-diagnosis (DSWPJOB) (DSWPJOB) Move services and sessions to archive queue (DSWPJOB) Periodic background job to send queued e-mails (manually scheduled via transaction SCOT) -> see also IMG -> Cross-scenario settings) Check RFC connections.1 Background Jobs for Infrastructure Background Job/Program./ RDSWP_SSA_MIGRATE_SESS_DL SM:MOVE TO ARCHIVE QUEUE/ RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE EMAIL_NOTIFICATION (customer-specific)/ RSCONN01 (variant SAP) SM:RFC MONITORING/ RWBA_RFC_WATCHER SMSY_PPMS_DOWNLOAD_FROM_OSS 146/172 PUBLIC 03/30/2009 .

2 Background Jobs for Implementation 10. SLR. Features Background Jobs for Implementation Background Job/Program. Report Use RFC Connection Job name (customer-specific)/ RSTIRIDX Asynchronous indexing and de-indexing for Document Management (manually. Service Level Reporting.4 Background Jobs for Monitoring There are two kinds of background jobs for Monitoring: n background jobs for EWA.3 Background Jobs for Test Management Background jobs for Test Management Features Background Jobs for Test Management Background Job/Program. see also IMG Cross-scenario Settings Document Management Servers Connect Index Server for Full Text Search Accelerates the where-used list for documents in the Solution (DSWPJOB) SM:ACCELERATE DOC USAGE/ RDMD_ACCELERATE_DOC_USAGE 10. Central System Administration 03/30/2009 PUBLIC 147/172 . Report Use AGS_BPCA_TBOM_OUTDATE_CHECKER AGS_BPCA_TBOM_REFERENCE_CHECK RFC Connection Used Check TBOM status Check Business Process Hierarchy (BPH) 10.2 Background Jobs for Implementation Background jobs for Implementation. with Solution Manager as a Central Monitoring System CEN) Features Background Jobs for EarlyWatch Alert.10 Background Processes 10. and CSA n background jobs for Monitoring.

4 Background Jobs for Monitoring Background Job/ program. SM:MIGRATE EWACUSTOMIZING/ RDSWPMIGRATEEWACUSTOMIZING SM:SET DEFAULT RATING/ RDSWPSETDEFAULTRATINGHIERARCHY SM:SOLMAN MONITORING/ RDSWP_FILL_CCMS_ALERTS SM:DOWNLOAD DELETION/ RDSWPDOWNLOADDELETION Program name: RDSWP_DTM_UPDATE_DT_STATUS 148/172 PUBLIC 03/30/2009 . for example EWA. CSA SM:CSA SESSION REFRESH/ DSVAS_APPL_CSA_REORG_TASKTABLE. period: 1.10 Background Processes 10. To run daily. report Use /BDL/TASK_PROCESSOR RFC Connection used TRUSTED or LOGIN Starts all tasks (maintenance) in satellite systems for service sessions see RFC Connections (for instance EarlyWatch Alert) (automatically scheduled when SDCCN is activate in satellite system) SM:EXEC SERVICES/ RDSMOPBACK_AUTOSESSIONS Executes service sessions in Solution Manager. (DSWPJOB) TRUSTED or READ Download data which is more than 30 days old is deleted (DSWPJOB) Update downtime status. The set-up sessions are automatically reset after a new ST-SER release is implemented or a new Support Package imported. so that these sessions always run on the newest check source code ( DSWPJOB) Migrate EWA Customizing (DSWPJOB) Set default rating (DSWPJOB -> inactive) Supplies the monitoring object of the CCMS for every solution with data from the Solution Manager. This updates the task status icons in the SAP Solution Manager graphic. between 00:00 and 00:10. RDSMOPSOL_MONIREFRESH SM:CSA UPDATE TASKSTATUS/ DSVAS_APPL_CSA_UPD_TASKSTATUS Task Status Update (DSWPJOB) updates status symbols of CSA tasks in the graphical overview of systems CSA SM:CSDCC HANDLE TASKS/ RCSDCCHANDLETASKS SM:SESSIONS RESET/ RDSMOP_SESSSION_RESET (DSWPJOB) Initialize session. SL Rexporting and transaction SDCCN. carries out services daily (or weekly) and schedules new services (DSWPJOB) Session Refresh (DSWPJOB). The CSA session opens in the background and runs every hour.

5 Background Jobs for BI Reporting Reporting BI Background Jobs for Reporting Background Job/Program.5 Background Jobs for BI Reporting Background Jobs for CCMS Monitoring Background Job/ program. Report Use BI_TCO_ACTIVATION RFC Connection Activate technical BI content. report Use SAP_CCMS_MONI_BATCH_DP RFC Connection Local dispatch background job for local method execution.10 Background Processes 10. See IMG activity Maintain BI Reporting (technical name: SOLMAN_BPM_BI) RDSWP_BI_BPM_EXTRACT 10. Central dispatch background job.6 Background Jobs for Service Desk Background Jobs for Service Desk Features Background jobs for Service Desk 03/30/2009 PUBLIC 149/172 . Must be activated in Client 000 of the CEN system (SAP Solution Manager) and the managed system. must only be activated in Client 000 of the CEN system (Solution Manager) SAP_CCMS_CENSYS_DISPATCHER 10. see IMG activity Create BI User in BI System (technical name: SOLMAN_CR_BI_USER) Extract data from solution to transfer table for Business Process Data.

SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS AI_SDK_FILL_FILE_TYPE_TABLE/ AI_SDK_FILL_FILE_TYPE_TABLE Transfer CSN Components to Solution Manager (DSWPJOB) Only specified file types can be sent to SAP. SAPOSS SAP-OSS 10. Features Background Jobs for SAP Engagement and Service Delivery 150/172 PUBLIC 03/30/2009 . for SAP to be able to read all the attachments which you send with your message.10 Background Processes 10.7 Background Jobs for Change Request Management Background Job/Program. the program updates the file type tables AISDK_FILETX and AISDK_FILETY.7 Background Jobs for Change Request Management Background jobs for Change Request Management Features Background Jobs for Change Request Management Background Job/Program. Recommendation Deactivate this job and schedule a customer-specific variant ( DSWPJOB). asynchronously (DSWPJOB) 10. All other attachments sent are refused by SAP. Report Use SM:RNOTIFUPDATE01/ RNOTIFUPDATE01 RFC Connection SAP-OSS-LIST-O01 Refreshes the contents of Support Desk or Expert-on-Demand messages that have been processed by SAP.8 Background Jobs for SAP Engagement and Service Delivery and Issue Management Background jobs for SAP Engagement and Service Delivery and Issue Management. for security reasons. Report Use SM:TMWFLOW_CMSSYSCLO/ /TMWFLOW/CMSSYSCOL2 RFC Connection READ. TMWFLOW gets tracking data from systems.

RDSMOPSERVICESESSIONS RDSWPBACKGROUNDSERVICES_4. Get Service plan from SAP (DSWPJOB -> RDSMOPSERVICESESSIONS. to SAP (DSWPJOB). RDSWPBACKGROUNDSERVICES_4 and RDSWPBACKGROUNDSERVICES_3 inactive) SM:FILL ISSUE BUFFER TABLE/ DSWP_CI_ISSUE_BUFFER_TABLE SAP-OSS SAP-OSS Fill Issue Buffer table (previously in DSWPJOB) SM:MIGRATE_ISSUE_PROJECT_CONTEXT/(DSWPJOB) RDSWPCI_ISSUE_PROJECT_CONTEXT1 SM:SYNC ISSUES FROM CRM/ RDSWP_ISSUE_REFRESH Table DSWPISSUE contains information from the CRM document and the support message (context).10 Background Processes 10. This table is updated (DSWPJOB). This report gets service plans from SAP. SAPOSS SAP-OSS SM:SURVEY TRANSFER/ RDSWPCI_SURVEY_TRANSFER SAP-OSS SM:SEND_SOLUTIONS_TO_SAP/ RDSMOPCOLLECTSOLUTIONDATA SM_SYNC_SAP SESSIONS/ RDSWPCISERVICEPLAN. This periodic job collects these message attributes from the message system and makes them available for analysis.8 Background Jobs for SAP Engagement and Service Delivery and Issue Management Background Job/Program. The session scheduling in the service plan is updated daily by SAP. The SAP Solution Manager buffers message attributes such as the current user and the processing status. Sends the data of the configured solutions to SAP (DSWPJOB). once a week (DSWPJOB). SOLMAN_ISSUE_STATUS_REFRESH/ RBM_REFOBJ_BUFFER_UPDATE 03/30/2009 PUBLIC 151/172 . Transfers the questionnaires for customer satisfaction with the service session and issue processing. RDSWPBACKGROUNDSERVICES_3. Report Use SM:GET CSN COMPONENTS/ DSWP_GET_CSN_COMPONENTS SM:SYNC SOLMAN INFO/ RDSMOPSERVICEINFOS SM:TOP ISSUE TRANSFER/ RDSWPCI_TOPISSUE_TRANSFER RFC Connection SAPOSS Transfer CSN components to Solution Manager (DSWPJOB) Self-Service: Components used by customers (DSWPJOB) Transfers the top issues that you have exchanged with SAP.

In contrast to Issues.9 Background Jobs for Root Cause Analysis Note Issue Management distinguishes between Top Issues and Issues. The program name of the Resource Manager is E2E_EFWK_RESOURCE_MGR. Initial transfer is done by dialog. see SAP Note 971138. To see the data of a Top Issue. Issue Management makes use of WebDynpro Applications. Top Issues bundle Issues which contain the same problem. Top Issues are addressed to management. You can then use the Internet Explorer to view this XML file.9 Background Jobs for Root Cause Analysis Background Jobs for Root Cause Analysis Features Background Jobs for Root Cause Analysis Background Job/Program/Report Use SM:SOLMAN_DIAG_UPDATE/ RSOLDIAG_CHECK_FOR_UPDATE RFC Connection Used Checks your Solution Manager and notifies it about the changes made to relevant data and parameters (DSWPJOB).10 Background Processes 10. You can avoid sending data by deleting this job. For information on Top Issue data which is sent. 10. If no data is sent to SAP. use report RDSMOP_VIEW_TOPISSUE_XML to save (as an XML file on your desktop) the information that is sent to SAP. Scheduled once per minute E2E_EFWK_WIZARD_BTC 10.10 Background Jobs for Third Party Products Background Jobs for Third Party Products Features Background Jobs for Third Party Products 152/172 PUBLIC 03/30/2009 . Issues describe potential problems. The report schedules the Resource Manager via report E2E_EFWK_CREATE_RESOURCE_MGR. SAP Support can not provide proactive support. Called during Diagnostics setup. Issue data is sent via periodic background jobs (job: SM:TOP ISSUE TRANSFER) once a week after the initial transfer.

11 Background Jobs for Service Provider Background Job/Program.11 Background Jobs for Service Provider Background jobs for Service Provider Features Background Jobs for Service Provider Background Job/Program. Report Use RPSMSY_MIGRATE_SYSTEM_USAGES RFC Connection see IMG activity Schedule Background Job for service provider (technical name: SOLMAN_SPC_REPORT 03/30/2009 PUBLIC 153/172 . to send Test Requirements and receive Test Results 10.10 Background Processes 10. Report Use RFC Connection Job name (customer-specific) / RS_SM_QC_REQUIREMENT_SYNC and RS_SM_QC_TESTRESULT_SYNC SAP Quality Center by HP.

This page is intentionally left blank. .

You can specify which solution is traced. n Documentation can get different versions when changed. Solution Manager Operations: n n n n n Traces are available in “Solution Directory”. 03/30/2009 PUBLIC 155/172 . n Each distributed object is logged. Each change on a tab is recorded. security-relevant information. All tabs can be traced. No changes of the assigned object are logged (except documents). Documentation can get different versions when changed Customizing Distribution n Each distribution is logged. 11.1 Traces and Logs System Landscape: n Update logs n RFC logs n Data save logs Solution Manager Implementation: n All tabs can be traced. Each change on a tab can be recorded. n No changes of the assigned object are logged (except documents). for example. n You can specify which project and tab can be traced. so that you can reproduce activities if a security breach does occur.11 Traces and Logs 11 Traces and Logs This section provides an overview of the trace and log files that contain.

This page is intentionally left blank. .

and n the technical level.1 Terminology: System Landscape and Related Terms The Solution Manager is based on a system in a system landscape. not its purpose in the system landscape. There are two semantic levels: n overall view of systems and their role in the system landscape. referring to the technical attributes of a system.12 Appendix 12 Appendix 12. Different terms are used to refer to this.1. It depends on whether the focus is on a system’s purpose or on its technical properties. There are several possible perspectives: n general perspective Term: System n Solution Manager perspective (Solution Manager as the central management platform) Terms: Managing System. depending on how the system landscape is viewed.1 Glossary 12. Managed System 03/30/2009 PUBLIC 157/172 .

12 Appendix 12.1 Glossary Figure 3: n business process—oriented perspective (business process as main focus) Term: Business System Figure 4: 158/172 PUBLIC 03/30/2009 .

which are called managed systems. several systems. System Component. Used in general Solution Manager scenario and function documentation in the system landscape. from the Solution Manager perspective. System Component Type. 03/30/2009 PUBLIC 159/172 . Synonym: Central System (CCMS-related) Example Managing System Your managing system is SAP Solution Manager. managed system. Technical System Figure 5: Features The following table contains definitions of how these term are used in documentation. business In your system landscape you maintain system and/or technical system. Example for example. The name of the system is overviews and so on.1 Glossary n technical perspective (technical attributes as main focus) Term: System Type. based on the SAP product definition. Definitions Infrastructure: System Term Definition Additional Remarks System Neutral definition from a general Used in general documentation. in perspective. It can be defined more closely (see above). usually the Solution Manager system.12 Appendix 12. A managing system usually manages other systems. The central managing system.

depending on the application view (the business purpose). It can be installed independently. software component and so on. System Type The type which the system can be. Example Please change the data of the main instance for system component Solution Manager Diagnostics. from the Solution Manager perspective. with reference to the general system architecture. usually the central Solution Manager system platform. from a business perspective. System Component A technical unit of a system which is itself defined by a main instance. In this sense. from a technical perspective. The main instance can be defined in more detail by server. Example The SAP Solution Manager system is based on system types AS ABAP and AS Java. Business System Any system used in a business scenario. client.1 Glossary Term Definition Additional Remarks Managed System Any system that is managed by another system. Example You monitor all business systems on which the business process steps run. Synonym: Remote System (CCMS-related) Example You monitor your managed systems regularly. Used in general Solution Manager scenario and function documentation in the system landscape. from a technical perspective: n ABAP n Java n ABAP and Java Used in general Solution Manager system landscape documentation. Used in general Business Suite and Solution Manager documentation.12 Appendix 12. using SAP Solution Manager. 160/172 PUBLIC 03/30/2009 . for Business Suite—related topics. regularly. the Solution Manager system can also be a managed system..

such as implementation. which are all supported by SAP Solution Manager. The solution is uniquely defined by its Leading System Role. SAP Solution Manager is running on (technical) system: SMP Client 200 Solution Manager Diagnostics is running on (technical) system: SMD 12.1 Glossary Term Definition Additional Remarks Example System Component Type The underlying technology of the system component.2 Terminology: Solution and Related Terms The life—cycle of a product comprises different phases. depending on the system component type. operation. from a technical perspective. Technical systems are stored in logical components. Main instances can be installed in one system.. the Logical Component.12 Appendix 12. such as: n System ID n Client n Installation Number n . and optimization. SAP Solution Manager uses the technical unit Solution to bundle systems according to various criteria: n related business process steps n related systems by administration purpose The term is related to another primary concept. In the operational phase. Definitions Infrastructure: Solution 03/30/2009 PUBLIC 161/172 ..1. but also as independent (technical) systems with independent system IDs. from a technical perspective. Example Technical System A technical unit based on one or more instances. which are then referenced in the solution. System component Solution Manager Diagnostics is of system component type Java. It is defined by technical attributes. Features The following table contains definitions of how these term are used in documentation.

Here. It forms the basis for subsequent applications. Solutions are independent of one another. and permanent Media Library Technical Papers . so all business processes defined for this solution run in systems with the system role: productive system.sap. all systems of one subsidiary. display) to objects in managed systems. Example See document Solution Concept and Design on SAP Service Marketplace at: http://service.1 Glossary Term Definition Additional Remarks Solution A group of systems administered in SAP Solution Manager. in implementation. Used only for business process operations: specifies the system role used for navigation (checks. Example User <XY> wants to check objects in the development systems. which are managed together. The default system role is production. such as Monitoring. e. allowing system-independent business process definition. for instance Solution Directory. Note Leading system role Navigation role Change of navigation role is user—specific and valid for all solutions in the Solution Directory. Used in relation to business process operations documentation. to be able to use these systems Example in a system landscape uniformly in See document Logical Components various SAP Solution Manager use on SAP Service Marketplace at: scenarios.12 Appendix 12. same SAP product release and main instance. It separates the abstract component level from the physical system level.g. all information about included systems and business processes running on these systems is stored.com/solutionmanager Media Library Logical Component Technical Papers . i.com/solutionmanager operational processing. The solution is defined in the Solution Directory (transaction SOLMAN_DIRECTORY). Job Scheduling Management or Issue Management. production system or development system. The system role of the business processes Used primarily in documentation for documented in a solution. A set of technical systems with the Used in general documentation. optimization. http://service. The leading 162/172 PUBLIC 03/30/2009 . Used in general documentation.sap.e. in overviews and so on.

12 Appendix 12.1 Glossary

Term

Definition

Additional Remarks

role of the solution is production system. The user specifies development system as navigation role.

03/30/2009

PUBLIC

163/172

This page is intentionally left blank.

A

Reference

A Reference

A.1 The Main SAP Documentation Types
The following is an overview of the most important documentation types that you need in the various phases in the life cycle of SAP software.
Figure 6:

Documentation Types in the Software Life Cycle

Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as well as many glossary entries in English and German. n Target group: l Relevant for all target groups Current version: n l On SAP Help Portal at http://help.sap.com access) or Terminology (as terminology CD) l In the SAP system in transaction STERM

Additional Information

Glossary

(direct

03/30/2009

PUBLIC

165/172

such as installation guides.com (also available as documentation DVD) The security guide describes the settings for a medium security level and offers suggestions for raising security levels. and so on. taking into account the combinations of operating systems and databases. n Target group: l System administrators l Technology consultants l Solution consultants n Current version: l On SAP Service Marketplace at http://service. SAP applications have a security guide of their own. and follow-up of an implementation. n Target group: l Technology consultants l Project teams for implementations n Current version: l On SAP Service Marketplace at http://service. It lists the required installable units for each business or IT scenario.sap.com/instguides Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycle platform.sap.sap. A collective security guide is available for SAP NetWeaver. n Target group: l Consultants l System administrators l Project teams for implementations or upgrades n Current version: l On SAP Help Portal at http://help. transactions. 166/172 PUBLIC 03/30/2009 . the technical infrastructure guide and SAP Notes. It does not describe any business-related configuration.1 Reference The Main SAP Documentation Types SAP Library is a collection of documentation for SAP software covering functions and processes. This document contains general guidelines and suggestions. It contains Customizing activities. n Target group: l Technology consultants l Project teams for implementations n Current version: l On SAP Service Marketplace at http://service. as well as documentation.sap. It provides scenario-specific descriptions of preparation.A A. execution.com/securityguide Implementation The master guide is the starting point for implementing an SAP solution. One of its main functions is the configuration of business and IT scenarios. It also provides references to other documents.com/instguides The installation guide describes the technical implementation of an installable unit.

It also refers to other documents.com/instguides Upgrade The upgrade master guide is the starting point for upgrading the business and IT scenarios of an SAP solution.1 Reference The Main SAP Documentation Types n Target group: l Technology consultants l Solution consultants l Project teams for implementations Current version: n l In SAP Solution Manager The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system. and follow-up of an upgrade. SAP Solution Manager. (In order to configure a whole system landscape from a process-oriented perspective. master data maintenance. is used. It provides scenario-specific descriptions of preparation. transports. 03/30/2009 PUBLIC 167/172 . The manual refers users to the tools and documentation that are needed to carry out various tasks. backup/restore. It refers users to the tools and documentation that are needed to carry out the various operations-related tasks. n Target group: l System administrators l Technology consultants l Solution consultants Current version: n l On SAP Service Marketplace at http://service. such as the upgrade guides and SAP Notes.A A. which refers to the relevant Customizing activities in the individual SAP systems. execution. and precedes the solution operations guide. n Target group: l System administrators n Current version: l On SAP Service Marketplace at http://service.sap.sap. and tests.com/instguides The solution operations guide is used for operating an SAP application once all tasks in the technical operations manual have been completed.) n Target group: l Solution consultants l Project teams for implementations or upgrades n Current version: l In the SAP menu of the SAP system under Tools Production Operation Customizing IMG The technical operations manual is the starting point for operating a system that runs on SAP NetWeaver. The Customizing activities and their documentation are structured from a functional perspective. such as monitoring.

taking into account the combinations of operating systems and databases.sap. It does not describe any business-related configuration.com/instguides Release notes are documents that contain short descriptions of new features in a particular release or changes to existing features since the previous release. n Target group: l Consultants l Project teams for upgrades n Current version: l On SAP Service Marketplace at http://service.A A.sap.com/instguides The upgrade guide describes the technical upgrade of an installable unit. Release notes about ABAP developments are the technical prerequisite for generating delta and upgrade Customizing in the Implementation Guide (IMG).sap.1 Reference The Main SAP Documentation Types n Target group: l Technology consultants l Project teams for upgrades Current version: n l On SAP Service Marketplace at http://service. n Target group: l Technology consultants l Project teams for upgrades Current version: n l On SAP Service Marketplace at http://service.com/releasenotes l In the SAP menu of the SAP system under Help Release Notes (only ABAP developments) 168/172 PUBLIC 03/30/2009 .

for example. transaction codes. for example. and names of installation. menu names.sap. for example. menu options Emphasized words or expressions Words or characters that you enter in the system exactly as they appear in the documentation Textual cross-references to an internet address Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web Hyperlink to an SAP Note. for example. Arrows separating the parts of a navigation path. screen titles. program names. and key concepts of a programming language when they are surrounded by body text. database table names.Typographic Conventions Example <Example> Description Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system. and database tools Technical names of system objects. names of variables and parameters. SAP Note 123456 n Words or characters quoted from the screen. messages n Source code or syntax quoted directly from a program n File and directory names and their paths. pushbutton labels. upgrade. for example. These include field labels. These include report names. “Enter your <User Name>”. SELECT and INCLUDE Keys on the keyboard Example Example Example Example http://www. and menu options.com /example 123456 Example Example EXAMPLE EXAMPLE 03/30/2009 PUBLIC 169/172 . n Cross-references to other documentation or published works n Output on the screen following a user action.

Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. and SAP Group shall not be liable for errors or omissions with respect to the materials. Massachusetts Institute of Technology. Microsoft. Inc. The information contained herein may be changed without prior notice. Parallel Sysplex. and PowerPoint are registered trademarks of Microsoft Corporation. Nothing herein should be construed as constituting an additional warranty. Duet. VideoFrame. S/390. System p5.1 Gamma and XSLT processor SAXON 6. System z. Inc. and other countries. System x. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.com © Copyright 2009 SAP AG. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only.SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www. Intelligent Miner. The information contained herein may be changed without prior notice. and Motif are registered trademarks of the Open Group. DB2 Universal Database. HACMP. UNIX. pSeries. z/OS. GPFS. xApps. BatchPipes. MVS/ESA. Citrix. RETAIN. JavaScript is a registered trademark of Sun Microsystems. RACF. WinFrame. eServer. PowerPC. and MultiWin are trademarks or registered trademarks of Citrix Systems.2) / XSL-FO: V5. AIX.net/). SAP Business ByDesign. R/3. xApp. Inc. POWER5+. Acrobat.S. POWER6. OS/400. xSeries. System Storage. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. System z9. Netfinity.. Program Neighborhood. z9. z/VM. Data contained in this document serves informational purposes only. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. XSLT version 1. XHTML and W3C are trademarks or registered trademarks of W3C®. used under license for technology invented and implemented by Netscape. ICA. Redbooks. PartnerEdge. without representation or warranty of any kind. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services. i5/OS. System i. World Wide Web Consortium. 170/172 PUBLIC 03/30/2009 . All rights reserved. National product specifications may vary.sap. This document was created using stylesheet 2007-12-10 (V7. PowerVM. System z10. AS/400. PostScript. zSeries. System i5. if any. z10.sf.5. the Adobe logo. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. POWER6+. HTML. OpenPower. SAP NetWeaver. S/390 Parallel Enterprise Server. POWER. MetaFrame. Oracle is a registered trademark of Oracle Corporation. ByDesign. Java is a registered trademark of Sun Microsystems. OSF/1. OS/2. These materials are subject to change without notice. OS/390. DB2 Connect. SAP. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. X/Open.2 from Michael Kay (http://saxon. Outlook. All other product and service names mentioned are the trademarks of their respective companies. Linux is the registered trademark of Linus Torvalds in the U. iSeries. WebSphere. Power Architecture. System p. BladeCenter. XML. Adobe. IBM. Windows. DB2. Excel. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. POWER5.

Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressly prohibited.Disclaimer Some components of this product are based on Java™. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.com/instguides 03/30/2009 PUBLIC 171/172 . Documentation in the SAP Service Marketplace You can find this document at the following address: https://service. as is any decompilation of these components.sap.

All rights reserved.SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.com © Copyright 2009 SAP AG. .sap. The information contained herein may be changed without prior notice.

You're Reading a Free Preview

Download