SAP Ecc60 Security guide For basis people

SAP ERP Central Component Security Guide

Release 6 .0

SAP ERP Central Component Security Guide January 2006

SAP ERP Central Component Security Guide 2

Copyright Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.



SAP ERP Central Component Security Guide ........................................................................ 10 Introduction .......................................................................................................................... 10 Before You Start .................................................................................................................. 11 Technical System Landscape.............................................................................................. 12 User Management and Authentication ................................................................................ 13

User Management............................................................................................................ 13

User Data Synchronization............................................................................................... 15

Integration with Single Sign-On Environments................................................................. 16

Authorizations ...................................................................................................................... 16 Network and Communication Security................................................................................. 17

Communication Channel Security .................................................................................... 18

Network Security .............................................................................................................. 19

Communication Destinations............................................................................................ 19

Data Storage Security.......................................................................................................... 19 Security for Other Applications ............................................................................................ 20 Trace and Log Files ............................................................................................................. 20 Cross-Application Components ........................................................................................... 21

Cross-Application Time Sheet (CA-TS) ........................................................................... 21

Authorizations ............................................................................................................... 21

Communication Destinations........................................................................................ 22

Self-Services .................................................................................................................... 23

Before You Start ........................................................................................................... 23

User Management ........................................................................................................ 24

Authorizations ............................................................................................................... 25

Editing Roles and Authorizations for Web Dynpro Services..................................... 27

Authorizations for Controlling Services (MSS, BUA) ................................................ 28

Authorizations for BW iViews (MSS)......................................................................... 28

Communication Destinations........................................................................................ 29

Accounting ........................................................................................................................... 30 Financial Accounting ........................................................................................................ 30

Authorizations in Financial Accounting......................................................................... 31

General Ledger Accounting (FI-GL) ............................................................................. 33

Consolidation ............................................................................................................ 34

Accounts Payable Accounting (FI-AP) ......................................................................... 35

Accounts Receivable Accounting (FI-AR) .................................................................... 36

Bank Accounting (FI-BL)............................................................................................... 37

Asset Accounting (FI-AA) ............................................................................................. 38

Travel Management (FI-TV) ......................................................................................... 39

Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 40



Treasury........................................................................................................................ 41

Authorizations ........................................................................................................... 42

Accounting Engine ........................................................................................................... 44

Introduction ................................................................................................................... 44

Before You Start ........................................................................................................... 45

Technical System Landscape....................................................................................... 46

User Administration and Authentication ....................................................................... 47

User Management..................................................................................................... 47

Integration into Single Sign-On Environments.......................................................... 47

Authorizations ............................................................................................................... 48

Network and Communication Security ......................................................................... 48

Communication Channel Security............................................................................. 49

Communication Destinations .................................................................................... 49

Data Storage Security................................................................................................... 49

Financial Supply Chain Management .............................................................................. 50

Management of Internal Controls: Security Guide ........................................................... 50


User Management and Authorizations ......................................................................... 51

User Management..................................................................................................... 52

Roles and Authorizations Concept............................................................................ 53

Standard Roles and Authorization Objects ........................................................... 54

Editing MIC-Specific Roles.................................................................................... 55

Tasks: Central Structure Setup.......................................................................... 57

Tasks: Structure Setup Specific to Organizational Units ................................... 59

Tasks: Control Assessments and Tests ............................................................ 65

Tasks: Management Control Assessment and Test.......................................... 67

Tasks: Reporting and Sign-Off .......................................................................... 70

Assigning Roles to Persons .................................................................................. 71

Integration with Single Sign-On Environments ......................................................... 72

Communication Channel Security ................................................................................ 73

Data Storage Security................................................................................................... 73

Master Data Framework................................................................................................... 74

Introduction ................................................................................................................... 74

Before You Start ........................................................................................................... 75


User Administration and Authentication ....................................................................... 77

User Management..................................................................................................... 77

Integration into Single Sign-On Environments.......................................................... 77

Authorizations ............................................................................................................... 78




Communication Channel Security............................................................................. 79

Controlling ........................................................................................................................ 79

Authorizations in Controlling......................................................................................... 81

Authorizations in Profit Center Accounting ................................................................... 85


Communication Destinations .................................................................................... 86

SAP Banking .................................................................................................................... 87

SAP Financial Customer Information Management (FS-BP) ....................................... 87

Authorizations ........................................................................................................... 87

Network and Communication Security...................................................................... 88

Communication Destinations................................................................................. 88

Data Storage Security ............................................................................................... 88

Bank Customer Accounts (BCA) .................................................................................. 89

Authorizations ........................................................................................................... 89



Important SAP Notes ................................................................................................ 90

Loans Management (FS-CML) ..................................................................................... 91

Authorizations ........................................................................................................... 91



Collateral Management (CM)........................................................................................ 94

Authorizations ........................................................................................................... 94

Network Communication and Security...................................................................... 95

Strategic Enterprise Management (SEM) for Banks .................................................... 97

Authorizations ........................................................................................................... 97


Communication Destinations................................................................................. 98


Reserve for Bad Debt (FS-RBD) ................................................................................ 100

Authorizations ......................................................................................................... 100

Network and Communication Security.................................................................... 105

Communication Destinations............................................................................... 105

Trace and Log Files ................................................................................................ 106

Incentive and Commission Management (ICM) ............................................................. 106

Statutory Reporting for Insurance (FS-SR) .................................................................... 107

Authorizations ............................................................................................................. 107

Data Storage Security................................................................................................. 107

Real Estate Management............................................................................................... 108

Public Sector Management ............................................................................................ 109



Authorizations ............................................................................................................. 109

Network and Communication Security ....................................................................... 112


More Security Information........................................................................................... 112

Logistics ............................................................................................................................. 114 Materials Management (MM) ......................................................................................... 114

Purchasing and Service Industries (MM-PUR, MM SRV) .......................................... 114

Authorizations ......................................................................................................... 114


Data Storage Security ............................................................................................. 118

Inventory Management (MM-IM): Authorizations ....................................................... 119

Logistics Invoice Verification (MM-IV): Authorizations ............................................... 120

Product Lifecycle Management (PLM) ........................................................................... 121

Authorizations ............................................................................................................. 121

Communication Destinations...................................................................................... 131

Important SAP Notes .................................................................................................. 131

Manufacturing................................................................................................................. 133

Authorizations ............................................................................................................. 133


Logistics Execution (LE)................................................................................................. 138

Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)..................................................................................................................... 138

Authorizations ......................................................................................................... 138


Warehouse Management System (LE-WMS) ............................................................ 142

Authorizations ......................................................................................................... 142


Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services.............................................. 144

Authorizations ......................................................................................................... 144


Retail .............................................................................................................................. 146


Authorizations ............................................................................................................. 148

Global Trade................................................................................................................... 150


Sales and Distribution (SD) ............................................................................................ 152

Human Capital Management ............................................................................................. 154 Personnel Management (PA) ......................................................................................... 154

Before You Start ......................................................................................................... 154



User Management ...................................................................................................... 155

Authorizations ............................................................................................................. 157

Communication Channel Security .............................................................................. 160



Security for Additional Applications ............................................................................ 164

Other Security-Relevant Information .......................................................................... 164

Personnel Time Management (PT) ................................................................................ 165

User Management ...................................................................................................... 165

Authorizations ............................................................................................................. 166


Payroll (PY) .................................................................................................................... 168

Before You Start ......................................................................................................... 168

User Management ...................................................................................................... 168

Authorizations ............................................................................................................. 169




Security for Additional Applications ............................................................................ 172


SAP Learning Solution ................................................................................................... 173

Technical System Landscape..................................................................................... 173

Persistence ............................................................................................................. 174

Learning Portal (LSOFE)......................................................................................... 175

Content Player (LSOCP)......................................................................................... 176

Offline Player (LSOOP)........................................................................................... 177

Authoring Environment (LSOAE) ............................................................................ 178

Environment for the Training Administrator ............................................................ 179

User Management ...................................................................................................... 180

Authorizations ............................................................................................................. 183



SAP E-Recruiting ........................................................................................................... 190

Before You Start ......................................................................................................... 190

Technical System Landscape..................................................................................... 190

User Management ...................................................................................................... 192

Authorizations ............................................................................................................. 194






Defense Forces & Public Security ..................................................................................... 199 Before You Start ............................................................................................................. 199

Technical System Landscape ........................................................................................ 199

User Administration and Authentication ......................................................................... 199

User Management ...................................................................................................... 200

Authorizations................................................................................................................. 201

Network and Communication Security ........................................................................... 202

Data Storage Security .................................................................................................... 202

Appendix ............................................................................................................................ 202



SAP ERP Central Component Security Guide The following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a general part, containing information relevant for all components, and a separate part for specific application areas and their components.

Introduction This guide should not be regarded as a substitute for a daily operational

manual as recommended by SAP.

Target Group Technology consultants System administrators

The information contained in this document is not contained in the installation and configuration guides or the technical manuals and upgrade guides of the components cited below. Such guides are only relevant for a certain phase of the software life cycle, whereas security guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, greater emphasis is being placed on the need for security. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP ERP Central Component. This document is designed to help you make SAP ERP Central Component secure.

About this Document The security guides give you an overview of the information for secure operation of SAP ERP Central Component. SAP ERP Central Component covers the core components Accounting, Logistics, and Human Resources and other components used across these core components. This guide cross-references information in existing security guides where available, or other relevant documentation where security aspects are discussed.

As SAP ERP Central Component is based on and uses SAP NetWeaver technology, it is essential you consult the SAP NetWeaver security guide: see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language SAP NetWeaver Security SAP NetWeaver Security Guide. To view all of the security guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide. Overview of the Main Sections

The security guide comprises the following main sections:

Before You Start This section contains information about why security is necessary, how to use this document, and references to other security guides that are a basis for this security guide.



Technical System Landscape This section is an overview of the technical components and communication paths used by SAP ERP Central Component.

User Management and Authentication This section provides an overview of the following user management and authentication aspects:

Recommended tools for user management. Required user types for SAP ERP Central Component Standard users delivered with SAP ERP Central Component Overview of the user synchronization strategy, if several components or

products are integrated

Overview of integration options in single sign-on environments Authorizations

This section provides an overview of the authorization concept that is applicable to SAP ERP Central Component.

Network and Communication Security This section provides an overview of the communication paths used by SAP ERP Central Component and the security mechanisms to be used. It also includes our recommendations for the network topology to restrict access at the network level.

Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component, and also the security mechanisms to be used.

Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications that are used together with SAP ERP Central Component.

Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, for example, there has been a breach of security.

Appendix This section provides references to secondary sources of information.

Before You Start Fundamental Security Guides SAP ERP Central Component is based on SAP NetWeaver. This means that the security guide for SAP NetWeaver is also applicable to SAP ERP Central Component. Whenever other guides are relevant, an appropriate reference is included in the documentation for the individual components in this guide.

For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide. Important SAP Notes SAP Note 783758 provides any updates for this guide and adds important information.



SAP Note 853497 contains information about saving temporary files when using Adobe Acrobat Reader in SAP applications.

SAP Note 138498 contains information on single sign-on solutions.

SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.

For further SAP notes on security, see SAP Service Marketplace at service.sap.com/security SAP Security Notes. Additional information For more information about specific topics, see the sources in the table below.

Additional Information

Contents SAP Service Marketplace Security service.sap.com/security Security Guides, SAP NetWeaver Security Guide

service.sap.com/securityguide

SAP NetWeaver documentation help.sap.com Documentation SAP NetWeaver

SAP NetWeaver installation guide service.sap.com SAP Support Portal Tools & Methods Installation Guides SAP NetWeaver

Related SAP notes service.sap.com/notes Platforms permitted service.sap.com/platforms Network security service.sap.com/network Technical infrastructure service.sap.com/ti SAP Solution Manager service.sap.com/solutionmanager

Technical System Landscape For information about the technical system landscape, see the sources listed in the table below.

More Information About the Technical System Landscape

Subject Guide/Tool SAP Service Marketplace Technical description of SAP ERP Central Component and the underlying technical components, such as SAP NetWeaver

Master guide

service.sap.com/instguides mySAP Business Suite Solutions mySAP ERP

Technical configuration high availability

Technical infrastructure guide

service.sap.com/ti

Security service.sap.com/security



User Management and Authentication SAP ERP Central Component uses the user management and authentication mechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.

In addition to these guidelines, SAP also supplies information on user management and authentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:

User Management [Seite 13] This section details the user management tools, the required user types, and the standard users supplied by SAP.

Synchronization of User Data [Seite 15] The components of SAP ERP Central Component can use user data together with other components. This section describes how theuser data is synchronized with these other sources.

Integration in Single Sign-On Environments [Seite 15] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.

User Management Use SAP ERP Central Component user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard users required for operating the subcomponents of SAP ERP Central Component.

User Management Tools

The following table shows the user management tools for SAP ERP Central Component.


Tool Description User maintenance for ABAP-based systems (transaction SU01)

For more information about the authorization objects provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.

Role maintenance with the profile generator for ABAP-based systems (PFCG)

For more information about the roles provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.

Central User Administration (CUA) for the maintenance of multiple ABAP-based systems



User Management Engine (UME) Administration console for maintenance of users, roles, and authorizations in Java-based systems and in the Enterprise Portal The UME also provides persistence options, such as ABAP Engine.

For more information on the tools that SAP provides for user management with SAP NetWeaver, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication.

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

User types required for SAP ERP Central Component include, for example,

Individual users: Dialog users

Dialog users are used for SAP GUI for Windows.

Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections.

Technical users: Service users are dialog users who are available for a large set of anonymous

users (for example, for anonymous system access via an ITS service).

Communication users are used for dialog-free communication between systems. Background users can be used for processing in the background.

For additional information on user types, see User Types in the SAP NetWeaver security guide.

Standard Users

The following table shows the standard users that are required to operate SAP ERP Central Component.

Standard Users

System User ID Type Password Description SAP Web AS

adm SAP system administrator

Mandatory SAP NetWeaver installation guide

SAP Web AS

SAP Service

SAP system service administrator

Mandatory SAP NetWeaver installation guide

SAP Web AS

SAP Standard ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)

See SAP NetWeaver security guide


service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP



Technology User Authentication Protecting Standard Users

SAP Web AS

SAP Standard SAP Web AS Java Users



service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for Java Technology Users and User Management Standard Users and Groups These users are used in applications that use Web Dynpro.

SAP ECC

SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed.

For more information on standard users in SAP NetWeaver, see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release xx/Language Security Identity Management Users and Roles (BC-SEC-USR) User Maintenance Logon and Password Security in the SAP System Password Rules. For information on user types, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication User Management and the section headed User Types.

The users specified are delivered with SAP ERP Central Component.

User Data Synchronization Use By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since SAP ERP Central Component is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication Integration of User Management in Your System Landscape.

You can use user data distributed across systems by replicating the data in a central directory, for example.



Integration with Single Sign-On Environments Use SAP ERP Central Component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application Server for ABAP Technology. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server also apply to SAP ERP Central Component.

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides an SSO environment when using SAP GUI for Windows or Remote Function Calls.

For more information, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology User Authentication Authentication and Single Sign-On Secure Network Communications (SNC). SAP Logon Tickets

SAP ERP Central Component supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly once it has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP NetWeaver Application Server security guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, the user is authenticated on the Web server using the Secure Sockets Layer Protocol (SSL protocol). . User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information see Client Certificates in the SAP NetWeaver Application Server security guide.

Authorizations Use SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver



Application Server for Java, the user management console of User Management Engine (UME) . You can define user-specific menus using roles.

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles.

For a list of the standard roles and authorization objects used by the subcomponents of SAP ERP Central Component, see the section of this document relevant to each component.

For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting.

Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements. For more information about the authorization concept at SAP, see:

SAP Service Marketplace at service.sap.com/securityguide in SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology SAP Authorization Concept

SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language Security Identity Management Users and Roles (BC-SEC-USR) SAP Authorization Concept Organizing Authorization Administration Organization if You Are Using the Profile Generator Role Maintenance

Authorizations for Customizing Settings

You can use customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information on creating roles, see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language Security Identity Management Users and Roles (BC-SEC-USR) SAP Authorization Concept Organizing Authorization Administration Organization if You Are Using the Profile Generator or Organization without the Profile Generator

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend systems database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP ERP Central Component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component. Details that relate directly to SAP ERP Central Component are described in the following sections:



Communication Channel Security [Seite 18] This section contains a description of the communication paths and protocols that are used by subcomponents of SAP ERP Central Component.

Network Security [Seite 19] This section contains information on the network topology recommended for the subcomponents of SAP ERP Central Component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating the subcomponents of SAP ERP Central Component.

Communication Destinations [Seite 19] This section describes the data needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver security guide:

Network and Communication Security Security Aspects for Connectivity and Interoperability

Communication Channel Security Use Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver.

The table below shows the communication paths used by SAP ERP Central Component, the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Paths Protocol Used Type of Data Transferred

Data Requiring Special Protection

Application server to application server

RFC, HTTP(S) Integration data Business data

Application server to third-party application

HTTP(S) Application data Passwords, business data, for example

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see the SAP NetWeaver security guide: SAP Service Marketplace at service.sap.com/securityguide in the section Transport Layer Security. For information on security aspects if you integrate SAP ERP Central Component with SAP Business Intelligence and SAP Supply Chain Management, see SAP Service Marketplace at service.sap.com/securityguide:

SAP Supply Chain Management Authorizations/Communication Channel Security/Communication Destinations

SAP Business Information Warehouse Security Guides Communication Security Communication Destinations



Network Security Since SAP ERP Central Component is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver security guide on the SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide Network and Communication Security:

Network Services This section contains information about services and ports that use SAP NetWeaver.

Using Firewall Systems for Access Control Here you can see information about firewall settings.

Using Multiple Network Zones Here you can get information about which parts of your application should be set up in which network segments.

If you provide services in the Internet, you should protect your network infrastructure with at least a firewall. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.

Communication Destinations Use The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between ERP systems:

Employ the user types system and communication. Grant a user only the minimum authorizations. Choose a secure password and do not divulge it to anyone else. Only store user-specific logon data for users of type system and communication. Wherever possible, use trusted system functions instead of user-specific logon data.

For more information, see the application-specific part of this guide.

Data Storage Security Use For information on data storage security, see the SAP NetWeaver security guide at service.sap.com/securityguide in the section Operating System and Database Platform Security Guides.



Security for Other Applications See the corresponding sections in the application-specific part of this guide.

Trace and Log Files Use The trace and log files of SAP ERP Central Component use the standard mechanisms of SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at service.sap.com/securityguide. If there is no information about trace and log files in the sections for the individual components of SAP ERP Central Component, you can assume that no sensitive data is updated in these files.



Cross-Application Components

Cross-Application Time Sheet (CA-TS)

Authorizations The Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to the Cross-Application Time Sheet.

The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).

Standard Roles The following table shows examples of standard roles that are used by the Cross-Application Time Sheet.

Standard Roles

Role Description

SAP_EMPLOYEE Employee [Extern] Self-Service

SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]

SAP_ISR_RETAIL_STORE SAP Retail Store User

SAP_PS_CONFIRM Confirmations

SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]

SAP_ISR_STORE_PERSONNEL Store Personnel Manager

SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]

Standard Authorization Objects In the Cross-Application Time Sheet environment, you require only the general authorizations for the relevant target applications. When assigning authorizations, base them on the authorizations for the CAT* transactions.

See also:

Note the special points listed in the following section of the SAP Library: Cross-Application Components Cross-Application Time Sheet Assigning Authorizations [Extern].



Communication Destinations Use Communication destinations are available for the Cross-Application Time Sheet component to post recorded data to the target applications.

Communication with Personnel Time Management

To post recorded time data to Personnel Time Management, you use BAPIs that enter the data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data is communicated using BAPIs via IDocs:

If you run your Human Resources system in the same system as the Cross-Application Time Sheet, the data is posted synchronously.

If you run your Human Resources system in a different system from the Cross-Application Time Sheet, the data is posted asynchronously.

The BAPIs enable you to create, change, or delete Personnel Time Management data.

These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.

Technical Users

You require the following technical users for the communication:

To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.

These technical users do not require authorizations specific to the SAP HR solution.

For the subsequent background processing job to transfer data from the interface tables to the infotype databases, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).

To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base your employees authorizations on the authorizations for the CAT2 transaction.

Posting Data to Other Target Applications

There are no special communication destinations for posting data to the other target applications.

See also:

For more information, see the SAP Library:

For information about transferring time sheet data to the target applications, see: Cross-Application Components Cross-Application Time Sheet Transfer of Time Sheet Data to the Target Components [Extern].

For information about the Time Management ALE scenarios and working with distributed systems, see Scenarios in Applications ALE / EDI Business Processes [Extern].



Self-Services

Before You Start This section of the Security Guide provides you with information about the following self-service components:

Employee Self-Service (ESS) Manager Self-Service (MSS) Business Unit Analyst (BUA) Project Self-Services (PSS) E-Recruiting (ECR) HR Administrative Services (ASR) Higher Education and Research (IS-HER-CSS) General Parts (PCUI_GP)

If not stated otherwise, the security settings for user management and authorizations apply to all components.

If there is no special information for particular topics in that section, the settings outlined in the general SAP ERP Central Component Security Guide [Seite 1] apply also the self-service components.

For information about the system landscape and secure running of the SAP ERP Central Component, see the mySAP ERP Master Guide at service.sap.com/instguides mySAP Business Suite Solutions mySAP ERP. Fundamental Security Guides Scenario, Application or Component Security Guide

Important Sections

SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]

SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]

Authorizations [Extern]

SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security Guide [Extern]

For a complete list of the SAP Security Guides available, see SAP Service Marketplace at securityguide.



Important SAP Notes The following table presents the most important SAP Notes regarding security for the Self-Service applications:

Important SAP Notes

SAP Note Number Title Comment

857431 ESS: Authorizations and Roles for WD Services in ERP 2005.

This note contains the authorization objects, the default values defined for these objects, and the roles for Employee Self-Service (component EP-PCT-ESS).

844639 MSS: Authorizations and Roles for ERP 2005

This note contains the authorization objects and the default values defined for the Human Resources applications in Manager Self-Service (component EP-PCT-MGR-HR).

846439 PSS: Authorizations and Roles for Web Dynpro

This note contains the authorization objects and the default values defined for the Web Dynpro applications for Project Self-Services (component EP-PCT-PLM-PSS).

User Management Use User management for Self-Service applications uses the mechanisms (for example, tools, user types, and password concept) provided by SAP Web Application Server. For an overview of how these mechanisms apply for Self-Service applications, see the sections below. In addition, there is a list of the standard users that are necessary for operating the self-services.

User Management Tools The following table presents the tools used for managing users in Self-Service applications:


Tool Detailed Description Prerequisites User and Role Maintenance (transaction PFCG)

You can use the Role Maintenance (PFCG) transaction to generate profiles for your self-service users.

For more information, see the Users and Roles [Extern] section in SAP Library for SAP NetWeaver (see also help.sap.com Documentation SAP NetWeaver).



User Types For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP.

SAP recommends you set up the connection between the portal and the connected systems (ECC system, J2EE Engine, BI system) so that each individual user has access.

Standard Users Different standard users exist for the individual Self-Service components.

Components Standard Users Employee Self-Service Manager Self-Service Project Self-Service Business Unit Analyst

No standard users exist in the standard SAP system for these components.

E-Recruiting HR Administrative Services

For information about the standard users for these components, see the Human Capital Management section of the ERP Central Component security guide.

Higher Education and Research For information about the standard users for this component, see the security guide for this component.

Authorizations Use The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles, use the Profile Generator (transaction PFCG). For more information, see Editing Roles and Authorizations for Web Dynpro Services [Seite 27].

The Self-Service applications for Human Resources also use the authorizations of the individual components. For more information, see the Human Capital Management section of the ERP Central Component Security Guide.



Standard Roles Employee Self-Service The following table presents the standard roles used in Employee Self-Service applications:

Standard Roles for Employee Self-Service (ESS):

Role Description

SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.

SAP_EMPLOYEE_ERP05_xx Single role comprising country-specific functions. A separate role exists for each country version (xx = country ID). The corresponding composite role is SAP_EMPLOYEE_ERP05.

In each case, the profile has been copied from the predefined composite role. The data required for ERP and the relevant NetWeaver authorizations have been added to this role.

The composite role is assigned to the individual employee.

Manager Self-Service, Business Unit Analyst, and Project Self-Services There are no standard roles for these components.

E-Recruiting and HR Administrative Services For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research For information about the standard roles for this component, see the Security Guide for this component.

Standard Authorization Objects The following table presents the general authorization objects relevant for security that are used by the Self-Service applications.

Standard Authorization Objects for Self-Service Applications:

Authorization Object Field Value Description

S_RFC RFC_NAME Depends on service Saves data from RFC access to Web Dynpro frontend to the backend system.

S_SERVICE SRV_NAME * Additional object for Web Dynpro applications. Check that is run when external services are started.

This authorization object is needed when an employee, project lead or manager wants to start self-service applications.



When you enter the value * for the authorization object S_SERVICE, you provide users with the authorization to start all applications. However, you can also assign authorizations for individual applications. In this case, use the syntax S_SERVICE-SRV_NAME = //, for example, sap.com/pcui_gp~xssexamples/AttendanceExample.

E-Recruiting and HR Administrative Services For information about the standard authorization objects for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research For information about the standard authorization objects for this component, see the Security Guide for this component.

Internal Service Request and Personnel Change Requests For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.

Editing Roles and Authorizations for Web Dynpro Services Use Use this procedure to edit roles and the related Web Dynpro services and authorizations.

Procedure ...

1. Create a role in transaction PFCG or select the standard role that exists for the component. Choose Create Role or copy the existing standard role.

2. Assign the required services to the role.

a. Choose the Menu tab page and then Default Authorization.

The Service dialog box appears.

b. Set the External Service indicator.

c. Select WEBDYNPRO as the type of external service.

d. In the Service field, select the Web Dynpro service you require.

e. Choose Save.

The authorization objects and default values maintained for the service are displayed in the menu tree.

In the same way, select all Web Dynpro services you want to use.

3. Assign the required authorizations.

Choose the Authorizations tab page to maintain the authorization objects and values according to your requirements.

For more information about how to maintain roles, see Role Maintenance [Extern] in the Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com Documentation SAP NetWeaver).



Authorizations for Controlling Services (MSS, BUA) The following table presents the standard authorization objects that are used by the controlling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).

Standard Authorization Objects for Controlling Services:

Authorization Object Description K_CCA General authorization object for Cost Center Accounting.

Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.

K_ORDER General authorization object for internal orders. Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.

K_PCA Area responsible, Profit Center. Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.

K_CSKS_PLA Cost element planning. Is checked in the relevant Express Planning services.

K_FPB_EXP Authorization object for Express Planning. This authorization object checks the Express Planning Framework call and the planning round call. The actual plan data is protected by the authorization objects for the individual Express Planning services.

For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note 15211.

Authorizations for BW iViews (MSS) In the case of BW iViews for Manager Self-Service, users need the standard BW authorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence).

In Human Capital Management, BW queries use a BW variable for personalization. Data is read from the ODS object for personalization 0Pers_VAR. If required, you can fill this ODS object from structural authorizations (see Structural Authorizations - Values [Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)). For more information, see SAP Library for BI Content for Human Resources under Organizational Management ODS Objects. You can also access SAP Library from the SAP Help Portal (see help.sap.com Documentation SAP NetWeaver).



Communication Destinations To be able to run the individual self-service components, you have to set up the SAP Java Connector (JCo) connections on the Web Dynpro J2EE server. For more information about these connections, see the Business Package documentation for the relevant component (such as Employee Self-Service, Manager Self-Service, Business Unit Analyst) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]



Accounting

Financial Accounting Network and Communication Security

Communication with external systems takes place using the standard channels provided by SAP basis technology:

Application Link Enabling (ALE) Standard interfaces to BW, CRM, and SRM systems Batch Input [Extern] Remote Function Call [Extern] (RFC) Business Application Programming Interface (BAPI) IDOC [Extern] SAP Exchange Infrastructure (XI) E-mail, fax

Financial Accounting has interfaces to Taxware and Vertex software used for performing tax calculations. In addition, there is an interface for the electronic advance return for tax on sales and purchases using Elster. Communication takes place by means of XI.

Payments and payment advice notes are dispatched per IDoc, and dunning notices sent by e-mail or fax.

Communication Destinations

All the technical users generally available can be used.

For payment requests from other components, see SAP Note 303205.

Data Storage Security

Many of the Financial Accounting transactions access sensitive data. Access to this kind of data, such as financial statements, is protected by standard authorization objects.

Important SAP Notes

See SAP Notes 303205 and 497712.



Authorizations in Financial Accounting Authorization Objects in Financial Accounting

Object Name FAGL_INST Customer Enhancements for General Ledger F_ACE_DST Accrual Engine: Accrual Objects F_ACE_PST Accrual Engine: Accrual/Deferral Postings F_BKPF_BES Accounting Document: Account Authorization for G/L Accounts F_BKPF_BLA Accounting Document: Authorization for Document Types F_BKPF_BUK Accounting Document: Authorization for Company Codes F_BKPF_BUP Accounting Document: Authorization for Posting Periods F_BKPF_GSB Accounting Document: Authorization for Business Areas F_BKPF_KOA Accounting Document: Authorization for Account Types F_BKPF_VW Accounting Document: Display/Change Default Values Document

Type/Posting Key F_FAGL_LDR General Ledger: Authorization for Ledger F_FAGL_SEG General Ledger: Authorization for Segment K_TP_VALU General Ledger: Authorization for Transfer Price Valuation F_FAGL_SKF General Ledger: Authorization for Transaction with Statistical Key Figures F_IT_ALV Line Item Display: Change and Save Layouts F_KMT_MGMT Account Assignment Model: Authorization for Maintenance and Use F_SKA1_AEN G/L Account: Change Authorization for Certain Fields F_SKA1_BES G/L Account: Account Authorization F_SKA1_BUK G/L Account: Authorization for Company Codes F_SKA1_KTP G/L Account: Authorization for Charts of Accounts F_T011 Balance Sheet: General Maintenance Authorization F_T011E Authorization for Financial Calendar F_T011_BUK Planning: Authorization for Company Codes F_T060_ACT Information System: Account Type/Activity for Evaluation View F_AVIK_AVA Payment Advice Note: Authorization for Payment Advice Note Types F_AVIK_BUK Payment Advice Note: Authorization for Company Codes F_BKPF_BED Accounting Document: Account Authorization for Customers F_BKPF_BEK Accounting Document: Account Authorization for Vendors F_BL_BANK Authorization for House Banks and Payment Methods F_BNKA_BUK Banks: Authorization for Company Codes F_FBCJ Cash Journal: General Authorization F_FEBB_BUK Bank Account Statement Company Code



F_FEBC_BUK Check Deposit/Lockbox Company Code F_KNA1_AEN Customer: Change Authorization for Certain Fields F_KNA1_APP Customer: Application Authorization F_KNA1_BED Customer: Accounts Authorization F_KNA1_BUK Customer: Authorization for Company Codes F_KNA1_GEN Customer: Central Data F_KNA1_GRP Customer: Accounts Group Authorization F_KNA1_KGD Customer: Change Authorization for Accounts Groups F_KNB1_ANA Customer: Authorization for Account Analysis F_KNKA_AEN Credit Management: Change Authorization for Certain Fields F_KNKA_KKB Credit Management: Authorization for Credit Control Area F_BNKA_MAN Banks: General Maintenance Authorization F_KNKK_BED Credit Management: Accounts Authorization F_LFA1_AEN Vendor: Change Authorization for Certain Fields F_LFA1_APP Vendor: Application Authorization F_LFA1_BEK Vendor: Accounts Authorization F_LFA1_BUK Vendor: Authorization for Company Codes F_LFA1_GEN Vendor: Central Data F_LFA1_GRP Vendor: Accounts Group Authorization F_MAHN_BUK Automatic Dunning: Authorization for Company Codes

The documentation for this refers to transaction F150. F_MAHN_KOA Automatic Dunning: Authorization for Account Types F_PAYRQ Authorization Object for Payment Requests F_PAYR_BUK Check Management: Action Authorization for Company Codes F_REGU_BUK Automatic Payment: Action Authorization for Company Codes

Refers to transaction F110. F_REGU_KOA Automatic Payment: Action Authorization for Account Types F_RPCODE Repetitive Code F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages F_T042_BUK Customizing Payment Program: Authorization for Company Codes S_BTCH_JOB Background Processing: Operations on Background Jobs

Users you would like to authorize to start background processing must have authorization for activity RELE.

P_ABAP HR Reporting Protects payments from the payroll. See also SAP Note 303205 that describes an enhancement of the checks made using a function module.

F_WEB_EBPP Participation in EBPP Process via a Web Interface



General Ledger Accounting (FI-GL) Standard Roles in General Ledger Accounting

Role Name

SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0) SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign Currency

Valuation SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances and

Items SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General Ledger

Accounting SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings SAP_FI_GL_POST_ENTRY Make General Ledger Postings SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked Document SAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents



Consolidation Authorizations

Authorization Objects in Consolidation

Authorization Object Description

E_CS_BUNIT Consolidation unit

E_CS_CACTT Consolidation tasks

E_CS_CONGR Consolidation group

E_CS_DEFRM SAP Consolidation: Data entry layout

E_CS_DIMEN Dimension

E_CS_ITCLG Consolidation chart of accounts

E_CS_JEFRM SAP Consolidation: Journal entry layout

E_CS_PERMO Monitor, opening/closing of periods

E_CS_RPTNG Reporting with Report Writer/Report Painter and Drilldown Reports

E_CS_RVERS Version

For more information, see the Implementation Guide for Enterprise Controlling at Consolidation Preparing for Production Authorization Management. Authorization Profiles in Consolidation

Authorization Profile Description

E_CS_ALL Full Authorization for EC-CS

E_CS_DISPLAY Display Authorization for EC-CS

Standard Roles in Consolidation

Role Name

SAP_AUDITOR_BA_EC_CS AIS Consolidation

SAP_AUDITOR_BA_EC_CS_A AIS Consolidation (Authorizations)

SAP_EC_CS_FUNCTIONS_DETAIL Consolidation Detail Functions

SAP_EC_CS_FUNCTIONS_GENERAL Consolidation General Functions

SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation Offline Data Entry with Microsoft Access

SAP_EC_CS_RECONCILIATION Consolidation Reconciliation of Integrated Data

SAP_EC_CS_REPORT_ALL Consolidation All Reports

SAP_EC_CS_REPORT_CONSDATA Consolidation Reports with Consolidated Data



Network and Communication Security

Consolidation allows for offline entry of data using Microsoft ACCESS. Communication takes place via Remote Function Call (RFC).


The authorization objects listed earlier protect the data that is processed in Consolidation when consolidated statements are created.

Accounts Payable Accounting (FI-AP) Standard Roles in Accounts Payable Accounting

Role Name SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents SAP_FI_AP_CHECK_MAINTENANCE Check Processing SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items SAP_FI_AP_CORRESPONDENCE Correspondence Vendors SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items SAP_FI_AP_DISPLAY_CHECKS Display Checks SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts Payable

Accounting SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices SAP_FI_AP_KEY_REPORTS Important Reports from Accounts Payable

Accounting SAP_FI_AP_MANUAL_PAYMENT Manual Payment SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a Payment

Run SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without Printing

Payment Medium SAP_FI_AP_PCARD Payment Card (Procurement Card)



SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts Payable

Accounting SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing

Accounts Receivable Accounting (FI-AR) Authorizations

Standard Roles in Accounts Receivable Accounting

Role Name SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document SAP_FI_AR_DUNNING_PROGRAM Dunning Program SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts Receivable

Accounting SAP_FI_AR_KEY_REPORTS Important Reports for Accounts Receivable

Accounting SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance SAP_FI_AR_PARK_DOCUMENT Park Customer Documents SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable

Accounting SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos



SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents SAP_FI_AR_VALUATION Valuation of Customer Items


You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.

Bank Accounting (FI-BL) Authorizations

Standard Roles in Bank Accounting

Role Name SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data SAP_FI_BL_BANK_STATEMENT Process Account Statement SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings SAP_FI_BL_CASHED_CHECKS Cashed Checks SAP_FI_BL_CASH_JOURNAL Cash Journal SAP_FI_BL_CHECK_DELETE Deletion of Checks SAP_FI_BL_CHECK_DEPOSIT Check Deposit SAP_FI_BL_CHECK_MANAGEMENT Check Management SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information

(USA) SAP_FI_BL_LOCKBOX Processing the Lockbox - Data SAP_FI_BL_ONLINE_PAYMENT Make Online Payments SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure

(Switzerland) SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange




You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.

Asset Accounting (FI-AA) Authorizations

Standard Roles in Asset Accounting

Role Name

SAP_AUDITOR_BA_FI_AA AIS Fixed Assets

SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)

SAP_FI_AA_ASSET_ARCHIVING Archiving Activities

SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction

SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting

SAP_FI_AA_ASSET_EXPLORER Asset Explorer

SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System

SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data Maintenance

SAP_FI_AA_ASSET_REVALUATION Revaluation Activiti