Security Guide SAP BusinessObjects Planning and Consolidation 7.

5
version for SAP NetWeaver
Target Audience ■ Technical Consultants ■ System Administrators

PUBLIC Document version: 2:0 – 2010-06-15

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com

© Copyright 2010 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

2/42

PUBLIC

2010-06-15

Typographic Conventions

Example
<Example>

Description

Example Example Example
Example

Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”. Arrows separating the parts of a navigation path, for example, menu options Emphasized words or expressions Words or characters that you enter in the system exactly as they appear in the documentation Textual cross-references to an internet address Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web Hyperlink to an SAP Note, for example, SAP Note 123456 ■ Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options. ■ Cross-references to other documentation or published works ■ Output on the screen following a user action, for example, messages ■ Source code or syntax quoted directly from a program ■ File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE Keys on the keyboard

http://www.sap.com /example

123456 Example

Example

EXAMPLE

EXAMPLE

2010-06-15

PUBLIC

3/42

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document. You can find the latest version at the following location: http://service.sap.com/ securityguide. The following table provides an overview of the most important document changes.
Version Date Description

1.0 2.0

2009-12-15 2010-06-15

First Version This is the update for SP03. For detailed information, refer to the appropriate SAP central note.

4/42

PUBLIC

2010-06-15

. . . . . . . . . 34 Data Storage Security . . . . . . . Authorization Objects for SAP Business Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Technical System Landscape . . . 11 Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . 21 Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Network and Communication Security . . . . . . . 15 15 17 17 18 18 19 Authorizations . . . . . . . . . . . . . . . User Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 5. . . . . . . . . . . . .2 Chapter 8 Chapter 9 Chapter 10 Introduction . . . .5 5. . . . . . . 41 2010-06-15 PUBLIC 5/42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Chapter 7 7. . . . . . . . Setting Up Users . . . . . . . . .2 5. . . . . . . . . . . . . . . . . . . . .1 5.1 7. . . . . . . . . . . 33 Network Security . . . . . . . . . . . . . . . . . . Authenticating through Active Directory . . . Setting Up Teams . . . . . . . . . . . . . . . .6 Chapter 6 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . 7 Before You Start . . . . . Authenticating through CMS . . . 13 User Administration and Authentication . . . . . . . . . . . . . . 21 Member Access Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . 37 Dispensable Functions that Affect Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 6. . . . . .

This page is left blank for documents that are printed on both sides. .

the demands on security are also on the rise. Configuration Guides. When using a distributed system. Why is Security Necessary With the increasing use of distributed systems and the Internet for managing business data.1 Introduction 1 Introduction This document is not included as part of the Installation Guides. ■ Technical System Landscape This section contains a link to more information about the system landscape. we provide this Security Guide. The section also provides an overview of the high-level steps needed to establish Planning and Consolidation security. User errors. whereby the Security Guides provide information that is relevant for all life cycle phases. To assist you in securing your system. or attempted manipulation on your system should not result in loss of information or processing time. negligence. Technical Operation Manuals. ■ Security Overview This section explains the initial users in the system and default authorizations. ■ User Administration and Authentication This section provides an overview of the following user administration and authentication aspects: ● Active Directory domain considerations ● User setup ● Team setup 2010-06-15 PUBLIC 7/42 . you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. These demands on security apply likewise to Planning and Consolidation. or Upgrade Guides. About This Document The Security Guide provides an overview of the security-relevant information that applies to the system Overview of the Main Sections The Security Guide comprises the following main sections: ■ Before You Start This section contains references to other Security Guides that build the foundation for this Security Guide. Such guides are only relevant for a certain phase of the software life cycle.

■ Data Storage Security This section describes the security aspects involved with saving data used by the application.1 Introduction ■ Authorizations This section provides details on the authorization concept that applies to Planning and Consolidation. ■ Trace and Log Files This section provides a link to where trace and log files are located. ■ Dispensable Functions with Impact on Security This section describes which functions are not absolutely necessary and how you can deactivate them. ■ Network and Communication Security This section provides an overview of the network topology and communication protocols used by the application. 8/42 PUBLIC 2010-06-15 .

Service Pack 02. see http://service.5 SP03.com/pam https://service.com/ securityguide on the SAP Service Marketplace.5.sap.sap.5.5 SP01. version for the NetWeaver platform SAP Planning and Consolidation 7. Important SAP Notes SAP Note Number Title Comments 1410517 1409989 1433411 1453797 SAP Planning and Consolidation 7.5.sap.com/irj/sdn/security https://service. version for the NetWeaver platform This is the Central Note for Planning and Consolidation 7. version for the NetWeaver platform SAP Planning and Consolidation 7. This is the Central Note for Planning and Consolidation 7.com/irj/sdn/netweaver Security Security Guides Related SAP Notes Released Platforms Network Security SAP Solution Manager SAP NetWeaver 2010-06-15 PUBLIC 9/42 .sap.com/securityguide https://service. Service Pack 01.sap. Additional Information For more information about specific topics. Quick Links to Additional Information Content Quick Link on the SAP Service Marketplace or SDN http://sdn. see the Quick Links as shown in the table below.2 Before You Start 2 Before You Start Fundamental Security Guides For a complete list of the available SAP Security Guides.com/notes https://service.sap.com/securityguide https://service. version for the NetWeaver platform SAP Planning and Consolidation 7. Important SAP Notes The most important SAP Notes that apply to the security of the system are shown in the table below.5 SP02.5.sap. Service Pack 03.sap.5 SP00. This is the Central Note for Planning and Consolidation 7.com/solutionmanager http://sdn. This is the Central Note for Planning and Consolidation 7.

.This page is left blank for documents that are printed on both sides.

2010-06-15 PUBLIC 11/42 . see the Master Guide from http:// service. version for SAP NetWeaver .3 Technical System Landscape 3 Technical System Landscape For information about the technical system landscape.com/instguidescpm-bpc 7.5.sap.

This page is left blank for documents that are printed on both sides. .

if they do not assign member access profiles to users or teams to define access to members of a secured dimension. ■ There are no other users defined. task profiles and member profiles can be audited by Planning and Consolidation. the following items apply: ■ The installation user can access Server Manager locally on the application server. See Team Setup [page 18]. such as adding. teams. ■ Assign users to teams. changing. ■ Administrators must specifically assign task profiles to users or teams of users before they can access any tasks. ■ Assign task profiles to users or teams. See User Setup [page 18]. Security Audit Files All security-related changes. ■ There is one sample task profile that has full Administration privileges (PrimaryAdmin). Features Security Upon Initial System Installation When you first install the system.) ■ The system administrator can perform all administrative tasks. See Member Access Profile Setup [page 27]. See Team Setup [page 18]. and access the Administration Console and Administration for the Web from any client machine. ■ There is one Admin team defined that can be used as a sample. Similarly. See Team Setup [page 18]. (After additional users are defined. they can also access the administration features remotely. no one has access to that dimension. 2010-06-15 PUBLIC 13/42 . See Task Profile Setup [page 21]. ■ Assign member access profiles to users or teams. and deleting users. See User Setup [page 18]. but does not have any access to members.4 Security Overview 4 Security Overview This section describes the security features included with Planning and Consolidation. See Member Access Profile Setup [page 27]. and another sample task profile that has full Administration privileges and dimension access (SysAdmin). Steps to Define Security Defining security involves the following steps: ■ Name each user.

Emergency User When normal access to the system is no longer available. If enabled for administration tasks. Once the system records an activity. you can run a report that shows activity based on specified criteria (see Reporting on Activity Auditing in the Application Help). all administration tasks are audited (see Activity Auditing in the Application Help for more information).4 Security Overview Administrators control whether activity auditing on administration tasks (including security tasks) is enabled or not. SAP customers can log on to the . see the NetWeaver Security Guide. then choose Administration Activity. To enable activity auditing for Administration tasks. For access to the ABAP server. 14/42 PUBLIC 2010-06-15 . you choose Manage Activity Audit from the Administration from the Web interface.NET server as SysAdmin (or other operating system users with administrative rights) to repair the Planning and Consolidation installation.

From the Logon window. Authentication of Office Clients 1. the user enters a domain. This section contains information about user administration and authentication in the following topics: ■ User Authentication Process ■ Authenticating through CMS ■ Authenticating through Active Directory ■ Setting up Users ■ Setting up Teams ■ Authorization Objects for SAP Business Explorer 5.5 5. see the Operations Guide. user ID. or they must be entered using an alternate ID. In the latter case. This is configured to use the credentials supplied by the user during logon. you specify which authentication method is appropriate for your needs. For more information. NOTE If you are currently authenticating through Active Directory.NET Web server.1 User Administration and Authentication User Authentication Process 5 User Administration and Authentication There are two authentication methods available in Planning and Consolidation: ■ SAP BusinessObjects User Management System (CMS) ■ Microsoft Windows (Active Directory) During the installation of the Planning and Consolidation server. and password. 2010-06-15 PUBLIC 15/42 . credentials are either taken from the Windows operating system. there is a migration tool available that allows you to convert your users over to authenticate through CMS.1 User Authentication Process This section describes how users are authenticated from the Office and Web clients. The client creates a stub to call the Planning and Consolidation . 2.

The user navigates to the Planning and Consolidation home page.5 5. 16/42 PUBLIC 2010-06-15 . If the user is authenticated successfully. 5. 7. see Authenticating through CMS [page 17] and Authenticating through Active Directory [page 17]. including the user credentials. the service returns Auth Success. the user credentials are validated against the BusinessObjects Enterprise SDK. 6. Authentication of Web Clients 1. The system validates that the user connecting to the Web server is the same user identified by the credentials. including the user credentials. the application server sends the results to the Planning and Consolidation client. For more details. If the user is not authenticated. If the user credentials are not valid. the user credentials are validated directly against Active Directory. The Web server calls the Planning and Consolidation authentication service to validate the user credentials. 6. 3. the Web server returns an HTTP 401 error. If the user credentials are not valid. If the credentials are valid. the user credentials are validated directly against Active Directory. The system validates that the user connecting to the Web server is same user identified by the credentials. If the user is authenticated successfully. The system builds a SOAP request. The system calls the Planning and Consolidation authentication service to validate credentials. 2. If the credentials are valid. the authentication service returns Access is denied. the Web server sends the results to the Planning and Consolidation client. If CMS authentication is not used. the authentication service returns Access is denied. 4. The system builds a SOAP request. the user credentials are validated against the BusinessObjects Enterprise SDK. The request is sent to the application server. If CMS authentication is not used. see Authenticating through CMS [page 17] and Authenticating through Active Directory [page 17]. For more details. The Web server uses IIS Windows (Integrated or Basic) authentication. If the user is not authenticated. the service returns Auth Success. If the user credentials are not valid. The client creates a stub to call the Planning and Consolidation application server. If CMS has been configured. The request is sent to the application server. 4. 8.1 User Administration and Authentication User Authentication Process 3. the Web server returns an HTTP 401 error. 5. If CMS has been configured. Windows prompts the user to enter a user ID and password. 7.

CMS maintains a database of information about BOE (in the CMS database). see the Operations Guide. Figure 1: BusinessObjects SDK & CMS 5.5 5.3 Authenticating through Active Directory If authenticating users through Active Directory. For more information. and manages security. users must be valid Windows users on the .NET application server. In addition. and a user ID is added to the system with a domain name (for example. filters can be applied to those domains to select specific users from them.2 User Administration and Authentication Authenticating through CMS 5.2 Authenticating through CMS The BusinessObjects Enterprise (BOE) SDK and Central Management Server (CMS) subsystem provides additional authentication options that are not available in Active Directory. PC\hsmith). the system validates the password against Active Directory. NOTE In Server Manager. Using SSO means that you do not need to provide authentication information when moving between Planning and Consolidation and other applications such as Xcelsius or Infoview.) When the user logs on. including access rights and authentication. (If not on a domain. you can specify specific domains that are being used for Planning and Consolidation users. including single sign-on (SSO). The following diagram shows the BOE SDK and CMS architecture. the system assumes the user ID is maintained within Active Directory. 2010-06-15 PUBLIC 17/42 .

You might also want to create teams. choose Security Users . If they do not have direct access. Modifying Users You can modify a user definition in the Admin Console. so you can assign the newly added users to the appropriate teams. select Add New User. ■ We recommend that all users have access to the domain the server is on. 18/42 PUBLIC 2010-06-15 . Features Adding Users You can add users in the Admin Console. When you assign security to a team. you have the ability to select one of the user-defined groups. ■ The installation user must have rights to browse the users from all user domains. choose Modify the selected user's definition.4 Setting Up Users You can add new users and assign them to teams. This allows you to set up task-based or member–based security for several users at the same time. To do so. NOTE You can enable the server to be Sarbanes-Oxley compliant if you want all clients that access the server to challenge users for a user name and password. In the Manage Users Options task pane. 5. then expand the domain name.5 Setting Up Teams You can set up and maintain teams of users. If you are not using the default task or member access profiles and have not set them up yet.4 User Administration and Authentication Setting Up Users When you are adding new users from a domain to the system. Teams are not required to successfully process security.com/epm. if required. teams. To do so. when you define the teams and profiles. you can assign users to them at that time. Select a user. When setting up users on the system. In the Manage Users action pane. then enter the required data to specify the domain. take the following considerations into account: ■ We recommend that all users come from a single domain. See the Server Manager section of the Application Help located at http://help. choose Security Users . e-mail address. the domain must be trusted between the server and user domain. task profiles. we recommend that you define them before adding users. and customize it further. 5.5 5. and member access profiles. the security works collectively on the team members. task profiles. Alternatively. and member access profiles. Follow the prompts in the assistant.sap.

and select the desired user from the team list. When modifying a team. see the ManageTemplate task in Task Profile Setup [page 21]. To modify a team definition. in the Admin Console by selecting Security Teams Add New Team . in the Admin Console select Security Teams . Authorization Object BEx – Components BEx – Components BEx – Components BEx – Individual Tools BEx – Enterprise Reports BEx – Enterprise Report Reusable Elements Technical Name S_RS_COMP S_RS_COMP1 S_RS_FOLD S_RS_TOOLS S_RS_ERPT S_RS_EREL Description Authorization for using different components for the query definition Authorization for queries from specific owners Display authorization for folders Authorization for individual Business Explorer tools Authorization for BEx enterprise reports Authorization for reusable elements of a BEx enterprise report 2010-06-15 PUBLIC 19/42 . Assigning team leaders Assigning a team leader is useful when you want to give one person from the team special access rights.6 User Administration and Authentication Authorization Objects for SAP Business Explorer Features Adding teams To add a team. Follow the prompts in the assistant to revise the team definition. 5. a team leader is the only one who can save Data Manager conversion and transformation files. The following table describes the authorization objects that are required. A team leader that has ManageTemplate privileges can save templates to their respective team folder.5 5.6 Authorization Objects for SAP Business Explorer For reporting through SAP Business Explorer (BEx). for example. To assign a team leader. Modifying teams You can modify the definition of an existing team. revise selected team members. in the Admin Console select Security Teams . you can change everything except the team name. users must logon to the SAP backend system. For more information. Select the team then click Modify the selected team's definition. the rights to save templates to the team folder. Authorization objects for each user must be maintained in that system. In addition. Enter data as required. or assign different task and member access profiles. See TeamLeadAdmin in Task Profile Setup [page 21].

6 User Administration and Authentication Authorization Objects for SAP Business Explorer BEx – Data Access Services BEx – Web Templates BEx – Reusable Web Items BEx Information Broadcasting Authorization for Scheduling BEx Texts (Maintenance) S_RS_DAS S_RS_BTMP S_RS_BITM S_RS_BCS S_RS_BEXTX Authorizations for working with data access services Authorization for working with BEx Web templates Authorization for working with BEx Web items Authorization for registering broadcast settings for execution Authorization for maintaining BEx texts 20/42 PUBLIC 2010-06-15 .5 5.

6 6. you assign it to one or more users. by default. Without one of these role assignments. the user cannot perform any administrator tasks. has the following task rights: ■ Application ■ BusinessRules ■ DefineSecurity ■ Dimensions ■ Lockings ■ ManageAudit 2010-06-15 PUBLIC 21/42 . The three administrator roles are: ■ System Admin ■ Primary Admin ■ Secondary Admin Default task rights A System Administrator (System Admin). After creating a task profile. has the following task rights: ■ Appset ■ DefineSecurity A Primary Administrator (Primary Admin). If you want to assign a user one or more administration tasks.1 Task Profile Setup A task profile defines the type of activities or tasks a user or a team of users can perform in Planning and Consolidation. 6. You can add tasks to a profile as needed.1 Authorizations Task Profile Setup 6 Authorizations Authorization is defined by task profiles and member access profiles: ■ Task profiles define what type of activities or tasks a user or a team of users can perform. Features Administrator Roles A role is a predefined set of administration tasks. ■ Member access profiles define the specific applications to which users have access. by default. you must assign them one of the predefined administrator roles.

by default. be assigned to secondary administrator Misc Primary administrator. but can View application set status. by default. 22/42 PUBLIC 2010-06-15 . be assigned to secondary administrator Dimension Only primary and secondary administrators Create. Lockings Primary administrator. by default. Can be assigned to Only the primary administrator (default) AnalysisCollection Task Profile Descriptions The following table describes the available tasks in the AnalysisCollection interface: Can be assigned to Description Task eAnalyze Anyone Access. has the following task rights: ■ Dimensions Administration Task Profile Descriptions The following table describes the available tasks in the Administration interface: Task Application Description Can create. process. by default. and edit ad hoc and audit reports. but can be Can create new application sets. modify assigned to primary administrator application sets. Business Rules Primary administrator. make changes to dimensions and add dimensions.1 Authorizations Task Profile Setup ■ ManageComments ■ ManageContentLibrary ■ ManageDistributor ■ ManageLiveReport ■ ManageTemplates ■ Misc ■ UpdateToCompanyFolder ■ WebAdmin A Secondary Administrator (Secondary Admin). but can Create and modify drill-through setup. and optimize applications. but can Define and edit work status codes.6 6. and set application set parameters (in Web Admin Tasks). and delete applications in this application set. Appset System administrator. by default. also be assigned to system and secondary administrators. but can Define business rules. EditDynamicHierarchy Anyone A user with this task can edit dynamic hierarchy structures. modify. by default. modify. manage. and delete (default) dimensions and members. be assigned to secondary administrator ManageDrillThrough Primary administrator.

PublishOffline Anyone This user or team collects changes to offline input schedules and sends data to a database. and restrict workbook options. Comments Task Profile Descriptions The following table describes the available tasks in the Comments interface: Task AddComment ManageComments Can be assigned to Anyone Anyone Description This user or team can add comments. Collaboration Task Profile Descriptions The following table describes the available tasks in the Collaboration interface: Task Can be assigned to Description ManageDistributor Anyone This user or team can use the Offline Distributor.6 6. This user or team can remove comments. Data Manager Task Profile Descriptions 2010-06-15 PUBLIC 23/42 . Only the primary administrator (default) This user or team can create. modify.1 Authorizations Task Profile Setup ManageTemplate Anyone OpenWordPptFiles SaveWordPptFiles SubmitData Anyone Anyone Anyone A user with this task can access templates from the company folder. A user with this task can save Microsoft Word and Microsoft PowerPoint files. Can access the build input schedules and send data. Business Process Flows Task Profile Descriptions The following table describes the available tasks in the Business Process Flow interface: Task Can be assigned to BPFExecution Anyone ManageBPF Description This user or team can execute business process flow tasks. and delete business process flows. weight. and trend options. Audit Task Profile Descriptions The following table describes the available tasks in the Audit interface: Task ManageAudit Can be assigned to Anyone Description Can manage activity and data auditing. A team member or team leader with this task can access and save templates to their respective team folder. Can use spread. Can post documents with application context to the Content Library. A user with this task can open Microsoft Word and Microsoft PowerPoint files.

6 6. This user or team can perform tasks such as: ■ New Transformation ■ Test transformation with data ■ New Conversion ■ New Conversion Sheet ■ Transformation ■ Save ■ Save Transformation As ■ Save Conversion ■ Save Conversion As PrimaryAdmin Anyone Can perform the following default PrimaryAdmin tasks: ■ Manage transformation files for company and Validate & Process ■ Manage conversion files for company and Validate & Process ■ Packages that against the fact table directly are limited to admin ■ Manage team package access ■ Organize package list ■ Maintain status regardless of user ID ■ Run admin package Can perform the following tasks: ■ Open transformation files from team folder and validate & process ■ Open conversion files from team folder and validate & process ■ Perform a data preview from the team folder ■ Perform a data upload from the team folder TeamLeadAdmin Anyone 24/42 PUBLIC 2010-06-15 .1 Authorizations Task Profile Setup The following table describes the available tasks in the DM interface: Task Can be assigned to Anyone Description Execute CalculateOwnership Anyone GeneralAdmin Anyone This user or team can manage Data Manager packages: ■ Data upload ■ Data download ■ Data Preview ■ Clear saved prompts ■ View status based on user ID ■ View schedule status based on user ID ■ Run Specific package ■ Run user package ■ Validate & Process conversion files for company ■ Validate & Process transformation files for company ■ Maintain status based on user ID ■ View status This user or team can run the Data Manager package Calculate Ownership.

team member.6 6. but they must also have ManageTemplate rights. users. ViewSystemReport Task Profile Descriptions The following table describes the available tasks in the ViewSystemReport interface: 2010-06-15 PUBLIC 25/42 . ■ All tasks described in TeamLeadAdmin. above ■ Save transformation files ■ Save conversion files FileAccess Task Profile Descriptions The following table describes the available tasks in the FileAccess interface: Task Can be Description assigned to UpdateToCompanyFolder Anyone A user. Journal Task Profile Descriptions The following table describes the available tasks in the Journal interface: Task AdminJournal Can be assigned to Anyone Description Can manage journals as follows: ■ Create and maintain journal templates ■ Clear journal tables ■ Create Journal Can create or modify journal entries. Can review journals Can unpost journal entries. primary CAUTION administrators (by We recommend that you restrict access of this task to a few privileged default). or team leader with this task can save templates to the company folder. and member access profiles. Can post journals. task.1 Authorizations Task Profile Setup ■ Perform a data download from the team folder NOTE TeamLeadAdmin Team Leader These tasks cannot be performed on the Company folder. CreateJournal PostJournals ReviewJournals UnpostJournals Anyone Anyone Anyone Anyone Security Task Profile Descriptions The following table describes the available tasks in the Security interface: Task Can be assigned Description to DefineSecurity Only system and Can manage users.

we recommend that you do not assign multiple task profiles to users because it may cause confusion in determining their ultimate access rights. ManageContentLib Anyone Can manage all items in the Content Library. and add pages to the Content Library in the Web interface.6 6. CreateWebPage Anyone This user or team can create new web pages in the Web interface. As a result. This user or team can run a comment report. ZFP Task Profile Descriptions The following table describes the available tasks in the Web interface: Task Can be assigned Description to AccessContentLib Anyone This user or team can access. LiveReport Anyone This user or team can access live reports in the Web interface.1 Authorizations Task Profile Setup Task AuditReport SecurityReport CommentReport JournalReport Workstatus report Can be assigned to Anyone Anyone Anyone Anyone Anyone Description This user or team can create audit reports. filter. This user or team can run a journal report. WorkStatus Task Profile Descriptions The following table describes the available tasks in the WorkStatus interface: Task SetWorkStatus Can be assigned to Anyone Description This user or team creates work status on a data region. and sort. assigning multiple task profiles can create a situation where users have access to tasks that you may not want 26/42 PUBLIC 2010-06-15 . Tips for Assigning Task Profiles ■ The number of task profiles administrators can assign to a user is not limited. However. This user or team can create security reports. WebAdmin Anyone Can do the following in Web Admin Tasks: ■ Set application parameters ■ Manage dimensions (make changes to existing dimensions based on dimension) ■ Manage document types and subtypes ■ Publish Non-Planning and Consolidation reports Adding a Task Profile To create a new task profile in the Admin Console. and tasks cannot be explicitly denied. Enter data as required. This user or team can run a work status report. choose Security Task Profiles . Task access security is cumulative. ManageLiveReport Anyone This user or team allows you to manage live reports using drag & drop in the Web interface.

Features General Rules for Member Access Security Member access security is based on the following rules: ■ By default. However. for one of two secured dimensions. ■ Administrators can assign multiple task profiles to a team.6 6. users with access to the parent member also have access to the 10 children. Defining Access to Members with Children When defining access to a secured dimension that has one or more defined hierarchies. Be sure to choose Apply to process the new member access profiles 2010-06-15 PUBLIC 27/42 . If no profile is defined for a secured dimension. If you partially define access. you can use the same member access profile as the parent. no one other than the system administrator has access to members. For example. For example.2 Member Access Profile Setup You must define a member access profile for all secured dimensions of an application. users are still denied access to the application. 6. After creating a Member Access profile. from parent to child. ■ Denial of member access can be set only at the user level. if you grant access to a member that has 10 children. the users assigned to the profile do not have access rights to that application. Alternatively. Creating Member Access Profiles You can add member access profiles from the Admin Console by choosing Security Member Access Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile assistant. the least restrictive member access profile is applied.2 Authorizations Member Access Profile Setup them to have. UserA can also send data. Member access must be explicitly granted. You can restrict a child member of a parent with ‘Read’ or ‘Read and Write’ access by creating a separate member access profile and assigning the child ‘Denied’ access. for example. ■ Member access privileges flow down the hierarchy. we recommend that you do not assign multiple task profiles to a team because it may cause confusion in determining the ultimate access rights of that team. the least restrictive setting is applied. an administrator wants UserA to only retrieve data. If UserA belongs to a team that possesses data-send task rights. security is applied to the member and all of its children. ■ In case of a conflict between individual and team member access. ■ A user can be assigned member access individually and through team membership. but create a new line item for the child. you assign it to users as needed. ■ When in conflict.

The following topics describe some potential member access conflict scenarios and the rules the system applies to resolve those conflicts. Follow the prompts in the Modify Profile assistant. EXAMPLE Scenario 1: ■ User1 belongs to Team1 and Team2. there may be situations in which conflicts occur. The member access profiles are described in the following table: Member access profile ProfileA ProfileB Access Read & Write Read Only Dimension Entity Entity Member Sales SalesAsia 28/42 PUBLIC 2010-06-15 . Resolving Member Access Profile Conflicts Since you can define member access by individual users and by teams.6 6. ■ There are two member access profiles: ProfileA and ProfileB. the least restrictive profile is always applied. ■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2.2 Authorizations Member Access Profile Setup Modifying Member Access Profiles You can modify an existing member access profile by selecting Modify the selected profile definition in the Manage Profile Options action pane. These scenarios are based on the assumption that the Entity dimension is a secured dimension and has the following hierarchical structure: Hierarchy H1 Members WorldWide1 Sales SalesAsia SalesKorea SalesJapan ESalesAsia SalesItaly SalesFrance ESalesEurope SalesKorea SalesJapan ESalesAsia SalesItaly SalesFrance ESalesEurope SalesEurope H2 WorldWide2 Asia Europe Korea Japan eAsia Italy France eEurope Conflict Between Profiles When there is a conflict between member access profiles. This section describes three different scenarios where there are conflicts between profiles.

Conflict Between Parent and Child Members Authority always flows down the hierarchy from parent to child. ProfileB is ignored by the system. is applied for the child members of SalesAsia. the least restrictive profile between the two. As a result. Child members always have the access level of their parents. As a result. 2010-06-15 PUBLIC 29/42 . the least restrictive profile between the two. ■ ProfileA is assigned to Team1 and ProfileB is assigned to Team2. EXAMPLE Scenario 3: ■ User1 does not belong to any team. unless otherwise specified. The member access profiles are described in the following table: Member access profile ProfileA ProfileB Access Denied Read Only Dimension Entity Entity Member SalesAsia Sales In this case. ■ Both the profiles are assigned to the user. and User1 is able to send data to both SalesKorea and SalesItaly. but not to SalesItaly. the least restrictive profile between the two. As a result. ■ There are two member access profiles: ProfileA and ProfileB. ProfileB (Read & Write). EXAMPLE Scenario 2: ■ User1 belongs to Team1 and Team2 ■ There are two member access profiles: ProfileA and ProfileB.2 Authorizations Member Access Profile Setup In this case. ProfileB (Read Only). ProfileA is ignored by the system. and User1 is able to retrieve data from both SalesKorea and SalesItaly.6 6. is applied. The member access profiles are described in the following table: Member access profile ProfileA ProfileB Access Read Only Read & Write Dimension Entity Entity Member Sales SalesAsia In this case. ProfileA is ignored by the system. ProfileA (Read & Write). is applied. and User1 is able to send data to SalesKorea.

and there is a conflict in member access. and SalesAsia’s access flows down to its descendants. the Read Only access of the Sales member flows down to its children. This flow is interrupted by assigning Read & Write access to SalesAsia (a descendant of Sales). As a result. the most restrictive access is applied. User1 is able to send data to SalesKorea but not to SalesItaly. EXAMPLE Scenario 2: ■ User1 belongs to Team1 and ProfileA is assigned to Team1. but not to SalesKorea. As a result. ■ ProfileA has two levels of member access profiles. and SalesAsia’s access flows down to its descendants. Conflict When the Same Member Belongs to Different Hierarchies When a member belongs to different hierarchies.2 Authorizations Member Access Profile Setup EXAMPLE Scenario 1: ■ User1 belongs to Team1 and ProfileA is assigned to Team1. the Read & Write access of the Sales member flows down to its children. The member access profiles for the ProfileA are described in the following table: Member access profile ProfileA ProfileA Access Read Only Read & Write Dimension Entity Entity Member Sales SalesAsia In this case.6 6. EXAMPLE Scenario: ProfileA and ProfileB are assigned to User1. User1 is able to send data to SalesItaly. The member access profiles for the ProfileA are described in the following table: Member access profile ProfileA ProfileA Access Read & Write Read Only Dimension Entity Entity Member Sales SalesAsia In this case. This flow is interrupted by assigning Read Only access to SalesAsia (a descendant of Sales). The member access profiles are described in the following table: Member access profile Access Dimension Member 30/42 PUBLIC 2010-06-15 . ■ Two levels of member access profiles are defined for ProfileA.

User1 is able to send data to SalesKorea.2 Authorizations Member Access Profile Setup ProfileA ProfileB Read Only Read & Write Entity Entity WorldWide1 WorldWide2 In this case. ProfileB determines User1’s access.6 6. 2010-06-15 PUBLIC 31/42 . As a result. even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).

This page is left blank for documents that are printed on both sides. .

It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. they cannot exploit well-known bugs and security holes in network services on the server machines. if users are not able to connect to the server LAN (local area network). the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to Planning and Consolidation. Details that specifically apply to Planning and Consolidation are described in the following topics: ■ Communication Channel Security This topic describes the communication paths and protocols used by the application. and the type of data transferred.1 Network and Communication Security Communication Channel Security 7 Network and Communication Security Your network infrastructure is important in protecting your system. the protocol used for the connection. The network topology for Planning and Consolidation is based on the topology used by the SAP NetWeaver platform. 2010-06-15 PUBLIC 33/42 . Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.1 Communication Channel Security The table below shows the communication paths used by the application. Additionally. ■ Network Security This topic describes the recommended network topology for the application.7 7. then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. If users cannot log on to your application or database servers at the operating system or database layer. Therefore. see the following sections in the SAP NetWeaver Security Guide: ■ Network and Communication Security ■ Security Guides for Connectivity and Interoperability Technologies 7. For more information.

2 Network and Communication Security Network Security Communication Paths Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection Client and . The RFC destination is used for after-import transactions for transports on the ABAP side. We recommend HTTPS for enhanced security. server and NetWeaver databases Client and Windows TCP/IP Windows native behavior Proprietary business Active Directory financial and (Optional) performance metrics NOTE Communication with the Windows Active Directory is done by the native Windows Operation System. HTTPS is required if the client uses basic authentication to access the . NetWeaver server Connector) responses Proprietary business financial and performance metrics .NET web/application server.NET web/app HTTP/HTTPS server Client requests and server Passwords responses Proprietary business financial and performance metrics . and must be configured exclusively for the Planning and Consolidation application. see the Configuring the ABAP Component section of the Installation Guide.NET web/app server and TCP/IP Windows native behavior Proprietary business Windows Active Directory financial and performance metrics NetWeaver application Details are covered in the SAP NetWeaver Security Guide.7 7.2 Network Security You can implement the following components of the application in different network segments: ■ Client ■ . For information about application ports.NET web/app server and RFC (through the SAP RFC Client requests and server Passwords. 7. For more information on creating the RFC destination.NET Web/application server ■ NetWeaver application server 34/42 PUBLIC 2010-06-15 . see the Server Options section in the Operations Guide or the Installation Guide.

and a NetWeaver database and BIA in a different network zone.NET application server in DMZ. while all server side components (.7 7. ■ All components in one network zone (LAN) ■ Client in Internet zone. based on your on your technical requirements. and the NetWeaver tier in a different zone NOTE The NetWeaver tier includes a database server and an optional BIA.NET application server and NetWeaver tier) are in one zone (LAN) ■ Client in Internet zone.2 Network and Communication Security Network Security We recommend any of the following three environments. . 2010-06-15 PUBLIC 35/42 . therefore we support a NetWeaver application server.

This page is left blank for documents that are printed on both sides. .

Business data is loaded by end users and administrators and stored in the SAP database.config. and no special measures to protect the cookies are necessary. change. 2010-06-15 PUBLIC 37/42 . This data is stored in the local file system of the client within the \MyDocuments\OutlookSoft directory. This data requires no special protection.8 Data Storage Security 8 Data Storage Security In Planning and Consolidation. but you should also make sure that no one has access to the service accounts defined during the installation. the configuration file is located on the . write. user data is stored in Active Directory. it uses cookies to store front-end metadata and configuration information during individual user sessions. The system uses a client-side file system to store metadata and template data temporarily because read. Since Interface for the Web uses a browser as its interface. The system is pre-configured to provide a substantial level of data protection. and query access for existing data may be required. delete. We recommend that only end users and administrators have access to this directory. Some configuration data is loaded upon system installation. and authorization data is stored in the SAP NetWeaver database.NET server tier in \PC\Websrvr\web\ServerConfiguration.

.This page is left blank for documents that are printed on both sides.

9 Dispensable Functions that Affect Security 9 Dispensable Functions that Affect Security Planning and Consolidation uses the following system resources: ■ Client tier — File system. Client Installation A Planning and Consolidation installation includes a Microsoft Office client and an Administration client for different kinds of end users. system components.NET server tier — System components. Users can install one or both. all functional modules are necessary and are used at runtime. operating system ■ ABAP server — System components. An installation contains a default application set named ApShell. operating system There are no administration tools or installation tools that can be deleted after installation. This is the only component you can remove after you complete your own application set development. Server Installation For the server installation. operating system ■ . 2010-06-15 PUBLIC 39/42 .

.This page is left blank for documents that are printed on both sides.

2010-06-15 PUBLIC 41/42 . where x is a number between 0 and 9.5. such as BPCTRACE. The log files for the client are stored in <c:>\Documents and Settings\<username>\My Documents\Planning and Consolidation\Logging on the client machine.LOG. They are named BPCTRACEx.NET application and web server are stored in <c:>\PC_NW\Logging on the server machine.LOG.txt.10 Trace and Log Files 10 Trace and Log Files Every day the system creates two log files: one that contains information about server operations. and one that contains information about client operations. The format of log files is log<date>. Trace files are located in <c:>\PC_NW>\Logging\ trace. The log files for the .

sap. All rights reserved. . No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.com © Copyright 2010 SAP AG.

Sign up to vote on this title
UsefulNot useful