Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Security Guide
Document Version: 2.0 – 2019-12-19
CUSTOMER
SAP Apparel and Footwear (AFS) Release 6.8
2
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Introduction
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as
they appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
SAP Apparel and Footwear (AFS)
Introduction
Customer
© 2016 SAP SE. All rights reserved. 3
Document History
Version Date Change
1.0 2016-12-23 Document created
2.0 2019-12-19 Added new chapter Data Protection
4
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Introduction
Table of Contents
1 Introduction ................................................................................................................................... 5
2 Before You Start ............................................................................................................................ 8
3 Technical System Landscape ..................................................................................................... 11
4 Authorizations ............................................................................................................................. 12
5 Session Security Protection ...................................................................................................... 14
6 Network and Communication Security .................................................................................... 15 6.1 Communication Channel Security ......................................................................................................16 6.2 Network Security .................................................................................................................................. 17 6.3 Communication Destinations ..............................................................................................................18
7 Internet Communication Framework Security ....................................................................... 20
8 Data Storage Security ................................................................................................................ 21
9 Data Protection ........................................................................................................................... 22 9.1 Deletion of Personal Data ................................................................................................................... 23 9.2 Retrieving Personal Data Processed in SAP Apparel and Footwear............................................... 29
10 Enterprise Services Security .................................................................................................... 30
11 Security-Relevant Logging and Tracing ................................................................................... 31
12 Services for Security Lifecycle Management .......................................................................... 32
SAP Apparel and Footwear (AFS)
Introduction
Customer
© 2016 SAP SE. All rights reserved. 5
1 Introduction
Caution
This guide does not replace the administration or operation guides that are available for productive
operations.
Target Audience
• Technology consultants
• Security consultants
• System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation
Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas
the Security Guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise. When using a distributed system, you need to be sure that your data and processes
support your business needs without allowing unauthorized access to critical information. User errors,
negligence, or attempted manipulation of your system should not result in loss of information or processing time.
These demands on security apply likewise to the SAP Apparel and Footwear. To assist you in securing the SAP
Apparel and Footwear, we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to the SAP Apparel and
Footwear.
6
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Introduction
Overview of the Main Sections
The Security Guide comprises the following main sections:
• Before You Start
This section contains information about why security is necessary, how to use this document and references
to other Security Guides that build the foundation for this Security Guide.
• Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the
SAP Apparel and Footwear.
• Security Aspects of Data, Data Flow and Processes
This section provides an overview of security aspects involved throughout the most widely-used processes
within the SAP Apparel and Footwear.
• User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
o Recommended tools to use for user management
o User types that are required by the SAP Apparel and Footwear
o Standard users that are delivered with SAP Apparel and Footwear
o Overview of the user synchronization strategy, if several components or products are involved
o Overview of how integration into Single Sign-On environments is possible
• Authorizations
This section provides an overview of the authorization concept that applies to the SAP Apparel and Footwear.
• Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or
plug-ins from accessing the SAP logon ticket or security session cookie(s).
• Network and Communication Security
This section provides an overview of the communication paths used by the SAP Apparel and Footwear and the
security mechanisms that apply. It also includes our recommendations for the network topology to restrict
access at the network level.
• Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
the SAP Apparel and Footwear.
• Application-Specific Virus Scan Profile (ABAP)
This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles
are activated.
• Data Storage Security
This section provides an overview of any critical data that is used by the SAP Apparel and Footwear and the
security mechanisms that apply.
• Data Protection
This section provides information about how the SAP Apparel and Footwear protects personal or sensitive
data.
SAP Apparel and Footwear (AFS)
Introduction
Customer
© 2016 SAP SE. All rights reserved. 7
• Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are used
with the SAP Apparel and Footwear.
• Dispensable Functions with Impacts on Security
This section provides an overview of functions that have impacts on security and can be disabled or removed
from the system.
• Enterprise Services Security
This section provides an overview of the security aspects that apply to the enterprise services delivered with
the SAP Apparel and Footwear.
• Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach does occur.
• Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assist
you in maintaining security in your SAP systems on an ongoing basis.
• Appendix
This section provides references to further information.
8
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Before You Start
2 Before You Start
Fundamental Security Guides
The SAP Apparel and Footwear is built from the component applications. Therefore, the corresponding Security
Guides also apply to SAP Apparel and Footwear. As SAP Apparel and Footwear is provided as an ABAP add-on to
SAP ERP, the security guidelines applicable to SAP ERP also apply to SAP Apparel and Footwear. Pay particular
attention to the most relevant sections or specific restrictions as indicated in the table below.
Fundamental Security Guides
Scenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions
SAP NetWeaver Security Guide
In the SAP NetWeaver Security Guide, choose
Security Guides for SAP NetWeaver according to
Usage Types Security Guides for Usage Type AS.
SAP ERP Central Component Security Guide All sections
SAP NetWeaver Security Guide
In the SAP NetWeaver Security Guide, choose Security
Guides for the Operating System and Database
Platforms.
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at
http://service.sap.com/securityguide.
Important SAP Notes
The most important SAP Notes that apply to the security of the SAP Apparel and Footwear are shown in the table
below.
Title SAP Note Comment
138498 Single Sign-On Solutions Information on Single Sign-On
Solutions for SAP systems
30724 Data Protection and Security in
SAP Systems
128447 Trusted/Trusting Systems
Needed for Customizing of RFC
connections for trusted/trusting
systems
783758 Security Guide ECC 5.0, 6.0
The SAP Note covers all
problems discovered after the
publication of the Security Guide,
and provides additional
information about security
issues.
SAP Apparel and Footwear (AFS)
Before You Start
Customer
© 2016 SAP SE. All rights reserved. 9
Title SAP Note Comment
619060 QCI: New RFC Server Installation
Guide
619057 QCI: External Function Calls
Using the CALL System
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace at
http://service.sap.com/securitynotes.
10
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Before You Start
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on SAP Service Marketplace or SCN
Security http://scn.sap.com/community/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver
SAP Apparel and Footwear (AFS)
Technical System Landscape
Customer
© 2016 SAP SE. All rights reserved. 11
3 Technical System Landscape
Use
For more information about the technical system landscape, see the resources listed in the table below.
Topic Guide/Tool Quick Link on SAP Service Marketplace or
SCN
Technical description for SAP
Apparel and Footwear
and the underlying components
such as SAP NetWeaver
Master Guide http://service.sap.com/instguides
High availability See applicable documents http://scn.sap.com/docs/DOC-7848
Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140
Security See applicable documents http://scn.sap.com/community/security
12
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Authorizations
4 Authorizations
Use
SAP Apparel and Footwear uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java.
Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS
Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to SAP Apparel and Footwear.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role
maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s
user administration console on the AS Java.
Note
For more information about how to create roles, see Role Administration [SAP Library].
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by the SAP Apparel and Footwear.
Standard Authorization Objects
Authorization Object Description Fields
J_3A_ARMTT ARun Optimizer
J_3AMTMOD
J_3AMTFCO
J_3AMTTYP
J_3A_ARUN Allocation run
J_3AARMD
J_3AARFCO
J_3AARTYP
J_3A_BEWER Material valuation WERKS
J_3A_CSAST Customer Sales Area stock
consumption ACTVT
J_3A_CSA_S Customer Sales Area Super User ACTVT
J_3A_LIKAP Vendor capacity AKTTYP
EKORG
J_3A_MAPP Mapping profiles J_3AMAPTYP
ACTVT
J_3A_MATRI Material grid ACTVT
J_3ASGTP
J_3A_PPBD Planned requirements WERKS
SAP Apparel and Footwear (AFS)
Authorizations
Customer
© 2016 SAP SE. All rights reserved. 13
Authorization Object Description Fields
ACTVT
J_3A_PRES Presizing WERKS
J_3A_QUOT Quota maintenance ACTVT
J_3A_SOALL Source allocation
WERKS
EKORG
J_4KCATW Whole category field
WERKS
ACTVT
14
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Session Security Protection
5 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend
activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant
cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session
security for the client(s) using the transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP
Security Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.
SAP Apparel and Footwear (AFS)
Network and Communication Security
Customer
© 2016 SAP SE. All rights reserved. 15
6 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the
communication necessary for your business needs without allowing unauthorized access. A well-defined network
topology can eliminate many security threats based on software flaws (at both the operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database
servers at the operating system or database layer, then there is no way for intruders to compromise the machines
and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on
the server machines.
The network topology for the SAP Apparel and Footwear is based on the topology used by the SAP NetWeaver
platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security
Guide also apply to the SAP Apparel and Footwear. Details that specifically apply to the SAP Apparel and Footwear
are described in the following topics:
• Communication Channel Security
This topic describes the communication paths and protocols used by the SAP Apparel and Footwear.
• Network Security
This topic describes the recommended network topology for the SAP Apparel and Footwear. It shows the
appropriate network segments for the various client and server components and where to use firewalls for
access protection. It also includes a list of the ports needed to operate the SAP Apparel and Footwear.
• Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
• Network and Communication Security
• Security Guides for Connectivity and Interoperability Technologies
16
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Network and Communication Security
6.1 Communication Channel Security
Use
The table below shows the communication channels used by the SAP Apparel and Footwear, the protocol used for
the connection, and the type of data transferred.
Communication Path Protocol Used Type of Data
Transferred
Data Requiring Special
Protection
Front-end client using
SAP GUI for Windows to
application server
DIAG All application data For example, master
data, business data
Frontend client using a
Web browser to
application server
HTTP (S) All application data
For example,
passwords, business
data, master data
Application server to
application server RFC, HTTP(S), SOAP Integration data
For example, business
data, field data
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections
are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services
security.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security
Guide.
SAP Apparel and Footwear (AFS)
Network and Communication Security
Customer
© 2016 SAP SE. All rights reserved. 17
6.2 Network Security
Use
Ports
The SAP Apparel and Footwear runs on SAP NetWeaver and uses the ports from the AS ABAP or AS Java. For
more information, see the topics for AS ABAP Ports and AS Java Ports in the corresponding SAP NetWeaver
Security Guides. For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also
the document TCP/IP Ports Used by SAP Applications, which is located on SAP Developer Network at
http://scn.sap.com/community/security under Infrastructure Security → Network and Communications
Security.
18
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Network and Communication Security
6.3 Communication Destinations
Use
The table below shows an overview of the communication destinations used by the SAP Apparel and Footwear.
Users and authorizations can be a security risk if used irresponsibly. For this reason, you must note the following
security measures when communicating between SAP ERP systems:
• Use the System and Communication user categories.
• Do not give a user more authorizations than necessary.
• Choose a secure password and do not inform anyone else of your password.
• Only save user-specific logon data for users from the System and Communication category.
• As far as possible, use trusted system functions, rather than user-specific logon data when saving data.
SAP Apparel and Footwear uses standard interfaces to SAP Customer Relationship Management (SAP CRM),
SAP Supply Chain Management (SAP SCM), SAP Global Trade Services (SAP GTS), SAP Business Intelligence
(SAP BI), Internet Sales and SAP Retail systems.
Quick Links to Additional Information
Destination Delivered
SAP Customer Relationship
Management (SAP CRM)
service.sap.com/securityguide → SAP Security Guides → SAP
Business Suite Applications -> SAP CRM -> SAP Security Guide
for SAP CRM
SAP Supply Chain
Management (SAP SCM)
service.sap.com/securityguide → SAP Security Guides → SAP
Business Suite Applications -> SAP SCM -> SAP Security Guide
for SAP SCM
SAP Global Trade Services
(SAP GTS)
service.sap.com/securityguide → SAP ERP 2005 Security
Guides → Update SAP ERP 2005 Security Guides EHP4 →
SECGUIDE_ECC_604_EN_20102008.pdf (refer to the section on
Global Trade)
SAP Business Intelligence
(SAP BI)
service.sap.com/securityguide → SAP Business Information
Warehouse Security Guides → SAP Business Information
Warehouse Sec.Guide
Internet Sales service.sap.com/securityguide → SAP CRM Security Guides →
Security Guide for SAP CRM 7.0 EHP1 (Refer to section on
Component-Specific Guidelines: Web Channel Enablement)
SAP Apparel and Footwear (AFS)
Network and Communication Security
Customer
© 2016 SAP SE. All rights reserved. 19
Destination Delivered
SAP Retail service.sap.com/securityguide → SAP ERP 2005 Security
Guides → Update SAP ERP 2005 Security Guides EHP4 →
SECGUIDE_ECC_604_EN_20102008.pdf (refer to the section on
Retail)
20
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Internet Communication Framework Security
7 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. Use the
transaction SICF to activate these services.
If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library documentation.
For more information about ICF security, see the RFC/ICF Security Guide.
SAP Apparel and Footwear (AFS)
Data Storage Security
Customer
© 2016 SAP SE. All rights reserved. 21
8 Data Storage Security
Use
The data storage security of SAP NetWeaver and components installed on this base is described in detail in the
SAP NetWeaver Security Guide.
For information about the data storage security of SAP NetWeaver, see SAP Service Marketplace at
service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the Operating System
and Database Platforms.
22
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Data Protection
9 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance
with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different
countries. This section describes the specific features and functions that SAP provides to support compliance
with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and
functions are the best method to support company, industry, regional or country-specific requirements.
Furthermore, this guide does not give any advice or recommendations with regard to additional features that
would be required in a particular environment; decisions related to data protection must be made on a case-by-
case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant
functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not
taken from any given legal source.
Glossary
Term Definition
Personal data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the processing of
personal data. The assumption is that any purpose has an end that is usually
already defined when the purpose starts.
Blocking A method of restricting access to data for which the primary business purpose
has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when the processing of
personal data is no longer required for the primary business purpose. After the
EoP has been reached, the data is blocked and can only be accessed by users
with special authorization.
Some basic requirements that support data protection are often referred to as technical and organizational
measures (TOM). The following topics are related to data protection and require appropriate TOMs:
• Access control: SAP Apparel and Footwear uses the user management and authentication mechanisms
provided with the SAP NetWeaver platform. Therefore, the security recommendations and guidelines for user
administration and authentication as described in the SAP NetWeaver Application Server ABAP Security
Guide [SAP Library] also apply to SAP Apparel and Footwear.
SAP Apparel and Footwear (AFS)
Data Protection
Customer
© 2016 SAP SE. All rights reserved. 23
• Authorizations: Authorization concept as described in section Authorizations.
• Transmission control / Communication security: as described in section Network and Communication
Security.
• Availability control as described in:
o Section Data Storage Security
o SAP NetWeaver Database Administration [SAP Library] documentation
o SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented
View → Solution Life Cycle Management → SAP Business Continuity
• Separation by purpose: Is subject to the organizational model implemented and must be applied as part of
the authorization concept.
Caution
The extent to which data protection is ensured depends on secure system operation. Network security,
security note implementation, adequate logging of system changes, and appropriate usage of the system
are the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-
Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required.
For information about the application-specific configuration, see the application-specific Customizing in SPRO.
9.1 Deletion of Personal Data
Use
SAP Apparel and Footwear might process data (personal data) that is subject to the data protection laws
applicable in specific countries as described in SAP Note 1825544.
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the
storage, retention, blocking, and deletion of data. SAP Apparel and Footwear uses SAP ILM to support the deletion
of personal data as described in the following sections.
SAP delivers an end of purpose check for SAP Apparel and Footwear. For more information, see Business Partner
End of Purpose Check in SAP Apparel and Footwear.
For information about the Customizing of blocking and deletion for SAP Apparel and Footwear, see Configuration:
Simplified Blocking and Deletion.
End of Purpose Check (EoP)
An end of purpose check determines whether data is still relevant for business activities based on the retention
period defined for the data. The retention period of data consists of the following phases.
• Phase one: The relevant data is actively used.
• Phase two: The relevant data is actively available in the system.
24
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Data Protection
• Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with
legal rules for retention, the data must still be available. In phase three, the relevant data is blocked.
Blocking of data prevents the business users of SAP applications from displaying and using data that may
include personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
• Display: The system does not display blocked data.
• Change: It is not possible to change a business object that contains blocked data.
• Create: It is not possible to create a business object that contains blocked data.
• Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.
• Search: It is not possible to search for blocked data or to search for a business object using blocked data in
the search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create,
change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check,
see Process Flow and Configuration: Simplified Blocking and Deletion.
Integration with Other Solutions
In the majority of cases, different installed applications run interdependently as shown in following graphic.
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 1Confidential
Integrated Systems using Central Master Data
cBP
BP
CRM
BP
IS
BP
ERPKUNNR
LIFNR
c Address
Management
SD transactional data
CRM transactional data
FI transactional data
HCM transactional data
BP
… …
Master Data
Mandatory
Foundation
Transactional Data:
Orders, Documents
SAP Apparel and Footwear (AFS)
Data Protection
Customer
© 2016 SAP SE. All rights reserved. 25
An example of an application that uses central master data is an SAP for Healthcare (IS-H) application that uses
the purchase order data stored in Financial Accounting (FI) or Controlling (CO).
Relevant Application Objects and Available Deletion Functionality
Application Area Application Objects Provided Deletion Functionality
Vendor Capacity Planning J_3ASUCAH
J_3ASUCAL
Destruction object: J_3ASUCAH
ILM object: J_3ASUCAH
Allocation run (ARUN) logs
/AFS/ARUN/PRO Schedule a regular job for deletion report
/AFS/MRP_DES.
Material requirements planning
(MRP) logs
J_3ADBBA Schedule a regular job for deletion report
/AFS/ARUN_DES.
Relevant Application Objects and Available EoP functionality
Application Implemented Solution (EoP or
WUC)
Further Information
SAP Apparel and Footwear
EoP check See section Business Partner
End of Purpose Check in SAP
Apparel and Footwear.
Process Flow
1. Before archiving data, you must define residence time and retention periods in SAP Information Lifecycle
Management (ILM) by doing the following:
o Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).
o Run transaction IRMPOL and maintain the required ILM policies for the application objects provided by
the relevant SAP Apparel and Footwear applications.
o You choose whether data deletion is required for data stored in archive files or data stored in the
database, also depending on the type of deletion functionality available.
2. To determine which master data has reached its end of purpose and can be blocked, you do the following:
o Run transaction CVP_PRE_EOP to enable the end of purpose check function for the customer master and
vendor master in SAP ERP.
3. To unblock blocked customer and vendor master data, you do the following:
o Request unblocking of blocked data by using the transaction BUP_REQ_UNBLK.
o If you have authorization to unblock data, you can unblock the requested data by running the
transaction CVP_UNBLOCK_MD for customer master data and vendor master data in SAP ERP.
26
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Data Protection
4. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SAP Apparel and
Footwear.
For information about how to configure blocking and deletion for SAP Apparel and Footwear, see Configuration:
Simplified Blocking and Deletion.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of customer and vendor master data in
Customizing for Cross-Application Components under Data Protection.
• Define the settings for authorization management in under Data Protection → Authorization Management. For
more information, see the Customizing documentation.
You configure the settings related to the blocking and deletion of customer and vendor master data in
Customizing for Logistics - General → Business Partner → Deletion of Customer and Vendor Master Data.
9.1.1.1 Destroying Vendor Capacity Planning Data Using J_3ASUCAH
You can use the data destruction object J_3ASUCAH for destroying vendor capacity planning data. The
destruction object destroys data from tables J_3ASUCAH and J_3ASUCAL.
Checks
The following application-specific checks are carried out on vendor capacity planning data before it can be
destroyed:
• The vendor capacity has been completely consumed and the document has reached the end of its validity.
Prerequisites
The following prerequisites need to be fulfilled before vendor capacity planning data can be destroyed:
• The ILM object has been assigned to an existing or new ILM audit area.
• An ILM policy and the required retention rules for the ILM object have been defined.
• One or more policies with policy status Live are available for the ILM object.
SAP Apparel and Footwear (AFS)
Data Protection
Customer
© 2016 SAP SE. All rights reserved. 27
ILM-Based Information for the Data Destruction Object
You create policies and rules for the related ILM object of this data destruction object.
The following fields for the ILM object are defined in the ILM policy and are visible when creating or processing the
ILM Policies:
• Available Time References
o END_OF_YEAR End of year
• Available Condition Fields
o EKORG (Purchasing Organization)
9.1.1.2 Business Partner End of Purpose (EoP) Check in SAP Apparel and Footwear
Use
SAP Apparel and Footwear provides an (EoP) check to determine whether customer and vendor master data is
still relevant for business activities in the application or can be blocked.
Application Name Application Description Business Partner Type
IS-AFS SAP Apparel and Footwear Customer, vendor
Prerequisites
You have activated the business function ERP_CVP_ILM_1 - ILM-Based Deletion of Customer and Vendor
Master Data.
Technical Details
The EoP check evaluates retention policies and data for the following ILM objects:
• J_3ASUCAH
28
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Data Protection
EoP Check Implementation
SAP Apparel and Footwear provides the following functionality for the EoP check of the customer and vendor:
• The application searches for the following data with relation to business partners:
o Vendor capacity planning data (J_3ASUCAH, J_3ASUCAL)
• The following table explains when end of business is reached:
Area End of Business Determination
Vendor capacity planning The vendor capacity has been completely consumed and the document
has reached the end of its validity.
• The application returns the following time reference that represents the end of business date to the EoP
check as Start of Retention Time (SoRT).
Area Start of Retention
Vendor capacity planning The start and end date of the evaluation period.
• The EoP check for AFS calculates the end of residence time (representing the EoP) based on residence
periods maintained for ILM object J_3ASUCAH that is active for audit area BUPA_DP for the application name
AFS and the existing rule variants.
• Note:
o After blocking a business partner, the application sets blocking indicators / deletes vendor capacity
planning data in the application.
o To take into account the purposes of business partners in customer enhancements, the following BAdIs
are available: /AFS/DTINF_J_3ASUCAH.
More Information
For more information, see help.sap.com/viewer/product/SAP_ERP/latest under SAP Library → SAP ERP Cross-
Application Functions → Cross-Application Components → ...
o SAP Information Lifecycle Management
o Data Protection
SAP Apparel and Footwear (AFS)
Data Protection
Customer
© 2016 SAP SE. All rights reserved. 29
9.2 Retrieving Personal Data Processed in SAP Apparel and Footwear
Data subjects have the right to get information regarding their personal data undergoing processing, including the
reason (purpose) for processing.
You can retrieve personal data processed in SAP Apparel and Footwear by using the SAP NetWeaver component
Information Retrieval Framework. For this, you must set up a data model that includes the relevant database
tables of SAP AFS.
To help you get started with your modeling process, SAP AFS delivers default implementation
/AFS/DTINF_J_3ASUCAH of BAdI: Tables Used by an ILM Object (BADI_DTINF_ILM_OBJ_TABLES).
More Information
For more information about the Information Retrieval Framework, go to
https://help.sap.com/viewer/product/SAP_NETWEAVER/ALL/en-US, choose your SAP NetWeaver release (IRF
is available as of NW 7.40) and select SAP NetWeaver Library: Function-Oriented View → Solution Lifecycle
Management → Information Retrieval Framework (IRF).
30
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Enterprise Services Security
10 Enterprise Services Security
The following sections in the SAP NetWeaver Security Guide and documentation are relevant for all enterprise
services delivered with SAP Apparel and Footwear :
• Web Services Security [SAP Library]
• Recommended WS Security Scenarios [SAP Library]
• SAP NetWeaver Process Integration Security Guide [SAP Library]
SAP Apparel and Footwear (AFS)
Security-Relevant Logging and Tracing
Customer
© 2016 SAP SE. All rights reserved. 31
11 Security-Relevant Logging and Tracing
Use
All trace and log files for SAP Apparel and Footwear use SAP NetWeaver standard mechanisms. For more
information, see the SAP NetWeaver Security Guide at service.sap.com/securityguide.
32
Customer
© 2016 SAP SE. All rights reserved.
SAP Apparel and Footwear (AFS)
Services for Security Lifecycle Management
12 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in your SAP
systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
• Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP
Notes, the report should be able to help you decide on how to handle the individual cases.
• Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
• Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
• Critical authorizations in detail
• Security-relevant configuration parameters
• Critical users
• Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site
service. We recommend you use it regularly (for example, once a year) and in particular after significant system
changes or in preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to continuously monitor a system landscape for compliance
with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers
configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway
configuration or making sure standard users do not have default passwords.
SAP Apparel and Footwear (AFS)
Services for Security Lifecycle Management
Customer
© 2016 SAP SE. All rights reserved. 33
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how
to operate SAP systems and landscapes in a secure manner. It guides you through the most important security
operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.
More Information
For more information about these services, see:
• EarlyWatch Alert: http://service.sap.com/ewa
• Security Optimization Service / Security Notes Report: http://service.sap.com/sos
• Comprehensive list of Security Notes: http://service.sap.com/securitynotes
• Configuration Validation: http://service.sap.com/changecontrol
• RunSAP Roadmap, including the Security and the Secure Operations Standard:
http://service.sap.com/runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)
www.sap.com/contactsap
© 2016 SAP SE. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System ads, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise
Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2
Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks
of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting
an additional warranty.