SAP® Extended Warehouse Management 9.4 Security … · Dock Appointment Scheduling is technically part of the SAP EWM 9.4 installation, but it can be used independently of other

Security GuideDocument version: 1.1 – 2016-08-10

SAP® Extended Warehouse Management 9.4 Security GuideUsing SAP SCM 7.0 including SAP enhancement package 4, SAP ERP 6.0 including SAP enhancement package 8, or SAP NetWeaver® 7.5

CUSTOMER

© Copyright 2016 SAP SE or an SAP affiliate company. Alle Rechte vorbehalten. All rights reserved. Tous droits réservés. Все права защищены.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/

legal/copyright/index.epx#trademark for additional trademark information and notices.

2

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved. SAP® Extended Warehouse Management 9.4 Security Guide

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

Typographic Conventions

Table 1

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in the documentation

www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

● Cross-references to other documentation or published works

Example ● Output on the screen following a user action, for example, messages

● Source code or syntax quoted directly from a program

● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

SAP® Extended Warehouse Management 9.4 Security GuideTypographic Conventions

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.

All rights reserved. 3

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2F~form%2Fhandler%3F_APP%3D01100107900000000342%26_EVENT%3DREDIR%26_NNUM%3D123456%26_NLANG%3Den%26_NVERS%3D0


Document History

CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the

latest version at the following location: service.sap.com under SAP Business Suite Applications SAP SCM SAP Extended Warehouse Management SAP Extended Warehouse Management 9.4 Security Guide .

The following table provides an overview of the most important document changes.

Table 2

Version Date Description

1.1 2016-08-10 Deletion of Personal Data chapter updated for SAP EWM 9.4 SP01

1.0 2016-05-12 Initial version of the Security Guide for SAP EWM 9.4

4

CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.

SAP® Extended Warehouse Management 9.4 Security GuideDocument History

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com

Content

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Security Aspects of Data Flow and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.1 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.2 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.3 Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.1 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336.2 Maintaining Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346.3 Maintaining Authorizations for Integration with SAP Components . . . . . . . . . . . . . . . . . . . . . . . . . . 346.4 Maintaining Authorizations for Enterprise Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.2 Unified Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438.3 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438.4 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

9 Internet Communication Framework Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

10 Application-Specific Virus Scan Profile (ABAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

11 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

12 Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5412.1 Deletion of Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5512.2 Read Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

13 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

14 Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

15 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6415.1 User Frontend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6415.2 Data Protection and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

SAP® Extended Warehouse Management 9.4 Security GuideContent



16 Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

17 Services for Security Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

18 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6


SAP® Extended Warehouse Management 9.4 Security GuideContent

1 Introduction

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

● Technology consultants

● Security consultants

● System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or reductions in processing time. These demands on security apply likewise to the SAP Extended Warehouse Management (SAP EWM) component. To assist you in securing your SAP EWM component, we provide this SAP EWM Component Security Guide.

RecommendationWe strongly recommend that you also consult the SAP NetWeaver Security Guide.

About This Document

This Security Guide provides an overview of the security-relevant information that applies to the SAP EWM 9.4 component.

Applications in SAP EWM 9.4

SAP EWM 9.4 contains multiple applications that can be used independently of each other. For example, SAP Dock Appointment Scheduling is technically part of the SAP EWM 9.4 installation, but it can be used independently of other SAP EWM applications as a standalone application. If you are using SAP Dock Appointment Scheduling only, without any integration to SAP EWM, some parts of the guide are not relevant.

The following list describes the levels of relevance of this guide:

● Several sections of this guide describe steps that are independent of the applications or business processes used, and you must always implement these steps. For example, securing an SAP NetWeaver system. This is true for most parts of this document. These sections are not marked.

● Other sections of this guide describe topics that are relevant for both SAP EWM in general and Dock Appointment Scheduling. These sections are not marked. Here if the term SAP EWM is used, it means the SAP EWM 9.4 system installation, including Dock Appointment Scheduling.

SAP® Extended Warehouse Management 9.4 Security GuideIntroduction



● Some sections of this guide are only necessary depending on which processes or applications of SAP EWM 9.4 you are using. These sections can be either specific to Dock Appointment Scheduling or for specific SAP EWM processes. These sections are marked as relevant for Dock Appointment Scheduling or SAP EWM applications. In these sections only, you can omit the steps that are specifically for SAP EWM applications or Dock Appointment Scheduling.

This guide uses the following keys to identify the applications:

○ Relevant only if you are using Dock Appointment Scheduling

○ Not relevant for Dock Appointment Scheduling

The guide also differentiates between standalone Dock Appointment Scheduling and Dock Appointment Scheduling integrated with SAP EWM.

○ SAP EWM: SAP EWM-only processes

○ All: Applies to both Dock Appointment Scheduling and SAP EWM

Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

● Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the SAP EWM component.

● Security Aspects of Data Flow and Processes

This section provides an overview of the security aspects involved throughout the most widely-used processes within the SAP EWM component.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

○ Recommended tools to use for user management.

○ User types that are required by the SAP EWM component.

○ Standard users that are delivered with the SAP EWM component.

○ Overview of the user synchronization strategy, if several components or products are involved

○ Overview of how integration with Single Sign-On environments is possible.

● Authorizations

This section provides an overview of the authorization concept that applies to the SAP EWM component.

● Session Security Protection

This section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookies.

● Network and Communication Security

This section provides an overview of the communication paths used by the SAP EWM component, and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Internet Communication Framework Security

This section provides an overview of the Internet Communication Framework (ICF) services that are used by the SAP EWM component.

8



● Application-Specific Virus Scan Profile (ABAP)

This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.

● Data Storage Security

This section provides an overview of any critical data that is used by the SAP EWM component and the security mechanisms that apply.

● Data Protection

This section provides information about how the SAP EWM component protects personal or sensitive data.

● Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are used with the SAP EWM component.

● Dispensable Functions with Impacts on Security

This section provides an overview of functions that have impacts on security and can be disabled or removed from the system.

● Enterprise Services Security

This section provides an overview of the security aspects that apply to the enterprise services delivered with SAP EWM.

● Other Security-Relevant Information

This section contains information about:

○ Web browser as a user frontend

○ RF device as user frontend

○ Data protection and privacy

● Security-Relevant Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant information. If a security breach occurs, you can reproduce activities, for example.

● Services for Security Lifecycle Management

This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.

● Appendix

This section provides references to further information.




2 Before You Start

Fundamental Security Guides and DocumentationSAP EWM 9.4 is based on SAP NetWeaver. With respect to SAP Fiori and SAPUI5 apps, SAP NetWeaver Gateway plays a fundamental role. This means that the corresponding Security Guides are also applicable for SAP EWM. For a complete list of the available SAP Security Guides, see SAP Service Marketplace at service.sap.com/

securityguide .

This Component Security Guide often provides references to other documentation. You can find this security-relevant documentation for the SAP Extended Warehouse Management (SAP EWM) component as follows:

Table 3: Fundamental Security Guides and Documentation

Guide/Documentation Path to the Guide/Documentation

SAP NetWeaver Security Guides help.sap.com/nw SAP NetWeaver Platform SAP

NetWeaver 7.5 Security Information Security Guide .

SAP NetWeaver Application Help help.sap.com/nw SAP NetWeaver Platform SAP

NetWeaver 7.5 Application Help Function-Oriented

View .

SAP EWM Master Guide service.sap.com/instguides SAP Business Suite

Applications SAP EWM Using SAP EWM 9.4 Master

Guide .

The SAP EWM component is built on further components and uses further components. Therefore, the corresponding Security Guides also apply to SAP EWM. The Master guide contains more information regarding the components necessary for business scenarios and processes.

SAP Library for SAP Extended Warehouse Management (SAP EWM)

help.sap.com/ewm SAP Extended Warehouse

Management 9.4 Application Help SAP Library . In SAP Library, choose SAP Extended Warehouse Management (SAP EWM).

Related Security GuidesThe following table provides an overview of all related security guides for this component. For the Security Guides

mentioned, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information Security Guide .

Table 4: Related Security Guides for SAP NetWeaver Products

Product See Application Relevance

Operating System and Database Platforms

Security Guides for the Operating System and Database Platforms

All

SAP NetWeaver Application Server ● Security Guides for SAP

NetWeaver Functional Units

All

10


SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguide


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstguides%20

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fewm

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnetweaver


Security Guides for the Application

Server :

○ Security Guides for AS

ABAP SAP NetWeaver Application Server for ABAP

Security Guide

○ Security Guides for AS

Java SAP NetWeaver Application Server for Java

Security Guide

○ Security Aspects for AS Infrastructure Functional

Units Security Settings for

the SAP Message Server

○ Security Guides for

Business Services SAP Interactive Forms by Adobe

Security Guide

○ Security Guides for

Business Services SAP Knowledge Warehouse

Security Guide

○ Security Aspects for AS Infrastructure Functional

Units AS ABAP with

Integrated ITS

● Security Guides for SAP

NetWeaver Functional Units Security Guides for Composition

Environment Composite Application Framework Security

Guide

● Security Aspects for Lifecycle

Management Virus Protection

and SAP GUI Integrity Checks

EP Core (EPC) and Enterprise Portal (EP)

Security Guides for SAP NetWeaver

Functional Units Security Guides for Enterprise Portal (EP) and EP Core -

Application Portal (EPC)

All

SAP Business Warehouse (SAP BW) Security Guides for SAP NetWeaver

Functional Units Security Guide SAP

BW

All





SAP NetWeaver Development Infrastructure (NWDI)

Security Aspects for Lifecycle

Management Security of the SAP NetWeaver Development

Infrastructure

All

SAP NetWeaver Mobile Security Guides for SAP NetWeaver

Functional Units Security Guide for

SAP NetWeaver Mobile

All

SAP NetWeaver Process Integration (SAP NetWeaver PI)

Security Guides for SAP NetWeaver

Functional Units SAP Process

Integration Security Guide

Relevant only if integration with SAP Transportation Management is carried out based on SAP NetWeaver PI

Security Guides for Standalone Engines, Clients, and Tools


NetWeaver Functional UnitsSearch and Classification (TREX)

Security Guide


NetWeaver Functional UnitsSecurity Guides for the Application

Server Security Guides for

Business Services SAP Content

Server Security Guide

Introduction

and subsequent chapters


NetWeaver Functional UnitsSecurity Guides for the Application

Server Security Aspects for AS

Infrastructure Functional UnitsSecurity Information for SAP Web

Dispatcher

All

Connectivity and Interoperability Security Guides for Connectivity and Interoperability Technologies, for example:

● RFC/ICF Security Guide

● Security Guide for Connectivity with the AS Java

● Security Aspects for Web Services

All

Lifecycle Management Security Aspects for Lifecycle Management, for example:

● System Landscape Directory Security Guide

● Auditing and Logging

All

12




SAP NetWeaver Gateway SAP NetWeaver Gateway on SAP Help

Portal at help.sap.com/nw in SAP

Library, choose SAP NetWeaver 7.5SAP NetWeaver Library: Function-

Oriented View SAP Gateway

Foundation (SAP_GWFND) SAP

Gateway Foundation Security Guide

Relevant if you are using SAP Fiori or SAPUI5 or other components that make use of SAP Gateway. This is, for example, the case for SAP Fiori delivery apps, Labor Demand Planning, or the Carrier user interface using SAPUI5 for Dock Appointment Scheduling.

Web Dynpro ABAP Security Guide Security Guides for SAP NetWeaver

Functional Units Security Guides for

the Application Server Security Guides

for AS ABAP Security Guide for Web

Dynpro ABAP

Relevant only if you are using Web Dynpro user interfaces. For example, Dock Appointment Scheduling or the Shipping Cockpit.

This is especially important if you plan to use Dock Appointment Scheduling and the Collaborative Scenarios.

SAP Fiori Security Information help.sap.com/fiori_implementation

Security information With SAP

NetWeaver 7.5

Relevant if you are using SAP Fiori apps in SAP EWM.

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP EWM component are shown in the following table:

Table 5: Important SAP Notes

SAP Note Number Title Comment

25591 Password change for DBM and DBA users

The SAP R/3 user password is to be changed.

30724 Data Protection and Security in SAP Systems

None

110600 SAP Security Library (SAPSECULIB) None

128447 Trusted/Trusting Systems Needed for Customizing of trusted/trusting system RFC connections.

138498 Single Sign-On Solutions Information about Single Sign-On solutions for SAP systems

389220 Problems with Pasting the Certificate Request Reply

None

447543 APO: Authorizations too Comprehensive/Not User-Specific

None

510007 Setting Up SSL on the Web Application Server ABAP

None

616555 LiveCache >= 7.4: Password Change The passwords of the standard liveCache user, the database system





http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Ffiori_implementation










SAP Note Number Title Comment

administrator, the DBM user, should be changed in the liveCache environment.

637052 Missing Authorization Object for Database Views

None

662340 SSF Encryption Using the SAPCrytolib The SAP Cryptographic Library has to be used for encrypting data in the SAP system.

683528 Security Note: SAP MaxDB This note provides information about the secure operation of SAP DB/MaxDB and liveCache.

727839 Authorization Role for the SAP SCM – SAP R/3 Integration

None

792366 Subsequent Implementing a Security Level for Documents

Knowledge Provider: what needs to be taken into account if an application of the Knowledge Provider (KPro) decides to change the security level for documents for one or more of their PHIO classes.

1517416 Collective security note for SAP EWM This note contains additional security-relevant information and notes for SAP EWM.

1515223 SAP NetWeaver Process Integration: Release Recommendation

This note sets out our recommendation on which release of SAP NetWeaver PI you should use.

1536783 SAP Security Recommendations – Protecting Java- and ABAP BAS

This note provides information on where to find the SAP Security Recommendations Protecting Java- and ABAP-Based SAP® Applications Against Common Attacks December 2010 white paper.

900000 NetWeaver Business Client – FAQ None

RecommendationFor a list of additional security-relevant SAP Hot News and SAP Notes, see SAP Service Marketplace at:

● service.sap.com/securitynotes

● service.sap.com/security SAP Security Notes

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

14












http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurity

Table 6: Quick Links to Additional Information

Content Quick Link on SAP Service Marketplace or SDN

Security scn.sap.com/community/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Released Platforms service.sap.com/pam

Network Security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

SAP NetWeaver scn.sap.com/community/netweaver

SAP EWM scn.sap.com/community/extended-warehouse-

management




http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fsecurity


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fpam


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsolutionmanager

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fnetweaver

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fextended-warehouse-management

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fcommunity%2Fextended-warehouse-management

3 Technical System Landscape

For more information about the technical system landscape, see the resources listed in the following table:

Table 7: More Information About the Technical System Landscape

Topic Guide or Tool Quick Link to SAP Service Marketplace or SDN

Technical System Landscape SAP Extended Warehouse Management (SAP EWM) Master Guide

service.sap.com/instguides

SAP Business Suite Applications SAP

EWM Using SAP EWM 9.4 Master

Guide

Technical System Landscape & Installation

SAP SCM Installation Guides ● scn.sap.com/docs/DOC-8140

● service.sap.com/instguides

SAP Business Suite

Applications SAP SCM SAP

SCM Server Using SAP enhancement package 3 for SCM

Server 7.0 Installation GuidesInstallation Guides for SAP EHP 3

for SAP SCM 7.0

Security Security Guide service.sap.com/securityguides

16


SAP® Extended Warehouse Management 9.4 Security GuideTechnical System Landscape

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstguides

http://help.sap.com/disclaimer?site=http%3A%2F%2Fscn.sap.com%2Fdocs%2FDOC-8140


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguides

4 Security Aspects of Data Flow and Processes

SAP Extended Warehouse Management (SAP EWM) can be installed, distributed, and used in multiple different scenarios. For more information, see Technical System Landscape [page 16].The following table describes some typical processes and communication channels, along with appropriate security measures:

Table 8

Process Security Measure Application Relevance

SAP EWM receives data from SAP ERP (such as deliveries and master data) and sends data to SAP ERP (such as confirmations and stock updates). This is typically done using standard qRFC/RFC technology.

Ensure appropriate user authorizations. For more information, see Communication Channel Security [page 40].

Not relevant for standalone Dock Appointment Scheduling

Mobile devices can be connected using HTTP/ITS mobile (it is also possible to use the SAP console). This is done based on the Internet Communication Framework (ICF) service for RFUI.

For more information, see Internet Communication Framework Security [page 48].


For certain scenarios, such as connecting automated physical processes (for example, conveyor systems) via SAP Plant Connectivity, RFCs are used. Depending on the scenario, IDOCs may also be used (for example, when warehouse control units are used).

For more information, see the SAP NetWeaver Security Guide for SAP

NetWeaver 7.5 under Network and

Communication Security Transport

Layer Security .


SAP EWM offers the possibility for upload and download of data. In many of these transactions it is possible to either choose a local file system (PC) or files on the application server.

Ensure that only a few people can access these transactions, and that access to the application server file system is restricted. You should design logical paths and filenames to restrict the access. For more information, see Data Storage Security [page 50].


SAP EWM offers a collaborative scenario for Dock Appointment Scheduling. This enables appointment planners for carriers to access the system using SAP NetWeaver Gateway or Web Dynpro ABAP technology, for

In this scenario, users outside of the company or firewall may access the system. For such scenarios, special attention must be paid to assigning authorizations to these users, and to the system setup and how the access from outside the company is granted. For

Relevant only if you are using Dock Appointment Scheduling

SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes



Process Security Measure Application Relevance

example, from outside the company network.

more information, see Collaborative Scenario using Dock Appointment Scheduling in Network and Communication Security [page 39].

SAP EWM offers a scenario for Labor Demand Planning. This enables users to access the SAP EWM system from a mobile device.

In this scenario, users can access the system from mobile devices using SAP NetWeaver Gateway. For more information see Labor Demand Planning in Network and Communication Security [page 39].

Relevant only if you are using Labor Demand Planning from a mobile device

SAP EWM offers a scenario for direct integration to SAP Transportation Management (SAP TM).

In this scenario, SAP EWM receives inbound messages from SAP TM and can send outbound messages to SAP TM. The communication is performed using enterprise services.

Relevant only if you are using a direct integration to SAP TM

SAP EWM offers a scenario for Warehouse Billing where there is an integration with the SAP TM system.

In this scenario, SAP EWM can extract billing-relevant information from SAP TM and send order and settlement information back to SAP TM. The communication is performed using enterprise services or Web services.

Relevant only if you are using Warehouse Billing with SAP TM

SAP EWM Fiori apps, for example, for deliveries or returns processing.

In this scenario, SAP Fiori accesses SAP EWM using SAP NetWeaver Gateway. For more information, see SAP Library for SAP Fiori on SAP Help Portal at

help.sap.com/fiori . In particular, see SAP Fiori implementation information as well as security and installation information.

Relevant only if you are using SAP Fiori apps with SAP EWM

SAP EWM DAS Carrier Collaboration Scenario using SAP NW Gateway and SAPUI5

In the diagram, some collaborative processes for Dock Appointment Scheduling within SAP EWM 9.4 are explained in detail. Since you can access the application from the internet, higher security risks exist. The data flows along with some possible security measures to be taken into consideration are shown in the diagram. These scenarios show the Dock Appointment Scheduling Application for external carriers. However, the diagram also shows how you can access the application using Webdynpro and SAP NW Gateway.

18



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Ffiori

Figure 1: DAS Carrier UI Using SAP NW Gateway

Table 9

Step Description Security Measure

1 A user uses the internet to specify the URL to the SAP EWM Carrier user interface (UI)

You need to create a User. We recommend that authentication is done using certificates that need to be exchanged with the external user beforehand. This avoids authentication by the user with a user name and password. The authorization of the user depends on a separate Gateway system, or Gateway system and SAP EWM system used together.

2 Port for https communication needs

to be open so that request is not blocked by a firewall

Firewall needs to be maintained accordingly.

3 URL filter checks if this URL is maintained in a white list. Request is not forwarded if the URL is not in a white list.

SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Carrier UI5, the Gateway Services for the DAS Carrier UI, and for supporting services must be maintained in the white list. Otherwise, external users could access internal services for which they are not authorized. For more information, see SAP Library for SAP NetWeaver 7.5 on

SAP Help Portal at help.sap.com/nw .

In SAP Library, choose SAP






NetWeaver SAP NetWeaver Library:

Function-Oriented View Application

Server Application Server

Infrastructure SAP Web DispatcherAdministration of the SAP Web

Dispatcher SAP Web Dispatcher as a

URL Filter .

4 ICF node for DAS Carrier UI5 accessed and checked for activity

ICF nodes for DAS Carrier UI5 (supporting services and gateway services) need to be active. The relevant paths are as follows:

● /sap/bc/ui5_ui5scwu/ui_das_carrier can also be

activated by activating the Gateway service /SCWM/DAS_CARRIER_ACCESS_SRV

● /sap/opu/odata/ui2/page_builder_pers can also

be activated by activating the Gateway service /UI2/PAGE_BUILDER_PERS

5 SAP EWM is accessed Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note

1322944 .

6 Gateway requests data from SAP EWM system

Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate NW Gateway system is used independent of SAP EWM. Further landscape and installation options are available. For this have a look at the NW Gateway documentation.

7 Result is displayed in the browser of the user

-

RecommendationTo access the SAP EWM system externally, we recommend that you define a system alias in the web dispatcher. The web dispatcher redirects the request to the correct hostname and port so that an external user can use a hyperlink, which contains the alias, to access the system.

20




SAP EWM Carrier Access Using DAS Web Dynpro-UIs

RecommendationAccess by a Carrier using Web Dynpro UIs is also possible since SAP EWM 9.1 but we strongly recommend that you use the Carrier Access using SAP NW gateway and SAPUI5 instead.

Figure 2: Carrier Access Using DAS Web Dynpro User Interfaces

DAS Web Dynpro UIs are accessed from outside the firewall. In this scenario only the Web Dynpro UIs are considered for the role of an external carrier planner (PFCG role /SCWM/DAS_EXT_CARR_PLANNER).

Table 10


1 User from Internet calls URL to SAP EWM DAS Web Dynpro UIs

User needs to be created. We recommend that authentication is done using certificates, which need to be exchanged with the external user beforehand so that the Internet user cannot log on to the portal by entering a user name and password.

2 Port for https communication needs to be open so that request is not blocked by firewall

Firewall needs to be maintained accordingly.

3 URL filter checks if this URL is maintained in white list. If the URL is not in the white list, request is not forwarded

SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Web Dynpro UI and for supporting services must be maintained in the white list. Otherwise, external users could access





internal services for which they are not authorized. For more information, see SAP Library for SAP NetWeaver 7.5 on

SAP Help Portal at help.sap.com/nw .

In SAP Library, choose SAP

NetWeaver SAP NetWeaver Library:

Function-Oriented View Application

Server Application Server

Infrastructure SAP Web DispatcherAdministration of the SAP Web

Dispatcher SAP Web Dispatcher as a

URL Filter .

4 ICF node for DAS Web Dynpro accessed and checked for activity

ICF nodes for DAS Web Dynpro (supporting services and gateway services) need to be active. The relevant paths are as follows:

● /sap/bc/webdynpro/scwm/ DSAPP_LIST

● /sap/bc/webdynpro/scwm/ DSAPP_MAINT

5 SAP EWM is accessed Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note

1322944 .

6 Gateway requests data from SAP EWM system

Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate NW Gateway system is used independent on SAP EWM. Further landscape and installation options are available. For this have a look at the NW Gateway documentation.

7 Result is displayed in the browser of the user

-

22





5 User Administration and Authentication

SAP Extended Warehouse Management (SAP EWM) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the SAP EWM component. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide .

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the SAP EWM component in the following topics:

● User Management [external document]

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the SAP EWM component.

● User Data Synchronization [external document]

The SAP EWM component shares user data with SAP NetWeaver 7.5. This topic describes how the user data is synchronized with these other sources.

● Integration Into Single Sign-On Environments [external document]

This topic describes how the SAP EWM component supports Single Sign-On mechanisms.

5.1 User Management

User management for SAP Extended Warehouse Management (SAP EWM) uses the mechanisms provided with the SAP NetWeaver Application Server, for example, tools, user types, and password policies. For an overview of how these mechanisms apply to the SAP EWM component, see the sections below. In addition, we provide a list of the standard users required for operating the SAP EWM component.

NoteFor an overview of the information necessary for securing operations with SAP NetWeaver Identity Management, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management .

User Administration Tools

The following table shows the tools needed for user management and user administration with the SAP EWM component:

Table 11: User Management Tools

Tool Detailed Description

User Management for the ABAP Engine (transaction SU01) Use the user management transaction SU01 to maintain

users in ABAP-based systems.

SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication



Tool Detailed Description

Profile Generator (transaction PFCG) Use the Profile Generator to create roles and assign authorizations to users in ABAP-based systems.

Central User Administration (CUA) Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.

User Management Engine (UME) administration console Use the Web-based UME administration console to maintain users, roles and authorizations in Java-based systems that use the UME for the user store, for example, the SAP NetWeaver Application Server Java and the Enterprise Portal. The UME also supports various persistency options, such as the ABAP Engine or a directory server.

SAP NetWeaver Application Server Java user management using the Visual Administrator

Use the Visual Administrator to maintain users and roles on the SAP NetWeaver Application Server Java. SAP NetWeaver Application Server Java also supports a pluggable user store concept. The UME is the default user store.

NoteFor a detailed description of the user management tools available in SAP NetWeaver, see the SAP NetWeaver Security Guide under User Administration and Authentication User Management in the section User Management Tools.

User Types

It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but the users under whom background processing jobs run do not.

The user types that are required for SAP EWM include the following:

● Individual users

○ Dialog users are used for business users who are assigned to roles that allow them to work individually on their dedicated tasks in your SAP EWM 9.4 system.

○ Internet users are used for external users who are allowed to access your SAP EWM 9.4 system from the Internet. If your scenario contains the collaborative scenario for appointment planners for carrier, employees of the carrier can log on via the Internet

● Technical users

○ Service users are used for technical purposes, such as service administrators, and are usually available to a larger, anonymous group of users.

○ Communication users are used for dialog-free communication for external RFC calls, for example, for the communication between your SAP EWM 9.4 system and an SAP ERP system and also, for communication between two SAP systems using SAP NetWeaver Gateway.

● Background users are used for running background jobs and executing reports.

For more information about these user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Administration and Authentication User Management User Types .

24



The user types required for SAP EWM include the following:

Table 12: Users

System User Delivered?

Type Default Password

Detailed Description Application Relevance

SAP EWM 9.4

<sapsid>adm

Yes SAP System Administrator

Dialog User

To be entered

SAP EWM System Administrator All

SAP EWM 9.4

<sapsid>adm


To be entered

SAP EWM System Administrator All

SAP SCM 7.0 Server including SAP enhancement package 3

<sapsid>adm


Dialog User

To be entered


SAP Business Suite


SCM Server Using SAP enhancement package 3 for SAP

SCM Server 7.0 Installation

Guides Installation Guides for

SAP EHP3 for SAP SCM 7.0

Generic Installation Guides

All, if SAP EWM is installed on top of an SCM Server system

SAP NetWeaver AS

SAP Standard ABAP Users (SAP*,

DDIC,

EARLYWATCH,

SAPCPIC)

Yes See SAP NetWeaver Security Guide

See SAP NetWeaver Security Guide

See the Protecting Special Users

section in help.sap.com under

Technology SAP NetWeaver

Platform SAP NetWeaver 7.5

Security Guide Security Guides

for the AS ABAP SAP NetWeaver Application Server

ABAP Security Guide User Administration and

Authentication User

Management .

-

SAP NetWeaver AS

SAP Standard Java Users (Administrator, Guest, Emergency)

Yes See SAP NetWeaver 7.5 Security Guide

See SAP NetWeaver 7.5 Security Guide

See the Standard Users and Standard User Groups section in

help.sap.com under

Technology SAP NetWeaver

Platform SAP NetWeaver 7.5

Security Guide Security Guides for SAP NetWeaver Functional

Units Security Guides for the

Application Server Security

Guides for AS Java SAP

-





http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com





NetWeaver Application Server

Java Security Guide User Administration and

Authentication User Administration and Standard

Users .

SAP NetWeaver AS Java

SAPJSF Yes Communication user

To be entered


SAP Business Suite


SCM Server Using SAP enhancement package 3 for SAP

SCM Server 7.0 Installation

Guides Installation Guides for

SAP EHP3 for SAP SCM 7.0

Generic Installation Guides .

All

SAP EWM 9.4

RFC communication users (you need an RFC communication user for each RFC destination described in section Communication Destinations [external document])

No Communication user

The authorizations of the user depend on the business case. For more information, see Authorizations [external document] in this Security Guide.

SAP Library for Extended Warehouse Management (SAP EWM) 9.4Communication Destinations [external document] and Authorizations [external document]


SAP EWM 9.4

Business processing users (you need a

No Dialog user

To be entered

SAP EWM 9.4 documentation and Authorizations [external document]

All

26







user in each component for each employee working with the system)

SAP EWM 9.4

Users for employees of a carrier who takes part in the collaborative scenario for Dock Appointment Scheduling

No Internet user and Communication user (if a separate system with SAP NetWeaver Gateway is used)

To be entered

Documentation for SAP EWM 9.4 under Authorizations [external document]

Relevant only if you are using Dock Appointment Scheduling

SAP EWM 9.4

User for Labor Demand Planning used from a mobile device

No Communication user

To be entered

Used for access from a mobile device in Labor Demand Planning. The user is used for the connection from SAP NetWeaver Gateway to SAP EWM.

Relevant only if you are using mobile devices in Labor Demand Planning

NoteFor more information about user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAPSAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP .

For more information about SAP NetWeaver standard users, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security

Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Administration and Authentication User Management in the section Protecting Standard Users .

For more information about SAP NetWeaver password rules, see SAP Library for SAP NetWeaver under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration




of Application Server ABAP Configuration of User and Role Administration First Installation Procedure Logon and Password Security in the ABAP System Password Rules .

RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during installation.

5.2 User Data Synchronization

To save administrative effort, you can synchronize user data in your system landscape. Since the SAP Extended Warehouse Management (SAP EWM) component is based on SAP NetWeaver 7.5, all the mechanisms for user data synchronization of SAP NetWeaver 7.5 are available for SAP EWM.

NoteFor information about user data synchronization in SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management Identity Management for System Landscapes .

5.3 Integration Into Single Sign-On Environments

The SAP Extended Warehouse Management (SAP EWM) component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guides also apply to the SAP EWM component.

Note● For more information about integration into single sign-on environments based on SAP NetWeaver, see

the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On in the Integration section.

● For more information about authentication on the SAP NetWeaver Application Server ABAP, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guide for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide User Administration and Authentication .

● For information on SAP Fiori and single sign-on, see SAP Library for SAP Fiori on SAP Help Portal at

help.sap.com/fiori_implementation . In SAP Library, choose Security Information With SAP NetWeaver 7.5 .

The following mechanisms are supported:

● Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

28



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Ffiori_implementation

For more information, see the SAP NetWeaver Security Guide under Network and Communication Security Transport Layer Security Secure Network Communications (SNC) .

● SAP logon tickets

The SAP EWM component supports the use of logon tickets for SSO when using a web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On .

● Client certificates

As an alternative to user authentication by means of a user ID and passwords, users using a web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On in the Client Certificates section.

RecommendationIf you use any of the following, we recommend that you use client certificates instead of authentication with user name and password:

● The collaborative scenario for Dock Appointment Scheduling, with carriers and users who have access to your system from the Internet

● The mobile application for Labor Demand Planning

This prevents Internet users from trying to log on with another user’s user name.




6 Authorizations

The authorization concept of the SAP Extended Warehouse Management (SAP EWM) component is based on the authorization concept of SAP NetWeaver. This concept protects transactions and programs in SAP systems from unauthorized access. Based on the authorization concept, the administrator assigns authorizations to the users that determine which actions users can execute in the SAP system after they have logged on to the system and authenticated themselves.

To access business objects or execute SAP transactions, a user requires corresponding authorizations, since business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that users can use the appropriate transactions for their tasks.

NoteFor information about the authorization concept of SAP NetWeaver, see SAP Library for SAP NetWeaver on

SAP Help Portal at help.sap.com/nw . In SAP Library, choose Function-Oriented View Security Identity Management :

● User and Role Administration of Application Server ABAP ABAP Authorization Concept

● User Management of SAP NetWeaver AS for Java Authorization Concept of SAP NetWeaver AS for Java

RecommendationWe recommend that you use the role maintenance functions and the Profile Generator (transaction code PFCG) to maintain your roles, authorizations, and profiles. The role maintenance functions support you in performing your task, by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to maintain your own new roles or those provided by SAP centrally, and to assign the roles to any number of users.

The roles you assign to your users define the user menu that is displayed after the users have logged on to the SAP system. Roles also contain the authorizations to allow users to access the transactions, reports, Web-based applications, and so on, that are contained in the menu.

For information about role maintenance and the Profile Generator, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP AS ABAP Authorization Concept Organizing Authorization Administration in the section Organization if You Are Using the Role Administration Tool.

RecommendationTo avoid authorizations being misused, we recommend that users are assigned only the minimal authorizations that they require for their work. Never assign full authorizations.

It is very important that RFC users are assigned only minimal authorizations.

For an overview of the role administration and more information about how a delivered standard role can be used and adjusted to your own needs, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server

30


SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations


ABAP Configuration of User and Role Administration Role Administration . See Role Administration Functions and, for example, Changing Standard Roles or Creating Derived Roles and Copying Authorizations.

With the component SAP EWM, SAP delivers SAP standard roles to cover the most-used business cases. These roles can be used as examples, or as a copy master for your own roles.

You can find the SAP standard roles in the Profile Generator (transaction code PFCG) using input help. You can use search terms to restrict the selection to the required standard roles.

You can find the application-relevant roles using the following search terms:

● The search term */SCWM* lists all SAP EWM-relevant SAP standard roles.

The role short text helps you find the role covering your business needs. The documentation of the role provides you with a detailed description of the role content.

● The search term*/SCWM/*DAS*lists all roles that are relevant for Dock Appointment Scheduling.

● The search term */SCWU* lists all roles that are relevant for the UI components using SAP NetWeaver Gateway. This is currently the role /SCWU/DAS_CARRIER_ACCESS which is for the UI5 carrier user interface of Dock Appointment Scheduling.

Alternatively, you can use the transaction SUIM to find the PFCG roles for EWM. In transaction SUIM, choose Roles Roles by Complex Selection Criteria . Then enter the above mentioned search criteria (for example */

SCWM*) in the Role field.

Role and Authorization Concept for SAP EWM

Read-Only Access for Auditors

NoteThis is not relevant for standalone Dock Appointment Scheduling.

SAP EWM provides a role for read-only access for all data. For an audit, the auditor needs to be able to read all data. However, the auditor must not be allowed to change any data. This can be achieved by assigning the /SCWM/INFORMATION role to a user.

Standard Roles

For information about roles in SAP EWM, see the SAP EWM documentation under Roles for Extended Warehouse Management (EWM).

For information about users and roles in SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP and User Management of the Application Server Java.

Critical Roles and Authorization Combinations

Expert Role

SAP EWM provides the expert role EWM: Warehouse Expert (/SCWM/EXPERT). This role contains almost all transactions and authorizations for SAP EWM and the corresponding customizing. Therefore, we recommend that you assign this role very carefully and only to very specific users, and that you do not assign this role to normal users or users who work in specific SAP EWM areas only.




Appointment Planner for Carrier

NoteThis role is relevant only if you are using Dock Appointment Scheduling.

SAP Dock Appointment Scheduling offers a collaboration scenario where appointment planners for carriers can log on to the SAP Dock Appointment Scheduling system, and view and maintain appointments for their carrier.

Since this potentially means that employees of a different company access SAP Dock Appointment Scheduling from outside the company network, you must put a special focus on authorizations.

This kind of user should have very limited authorizations. As well as this, they should be able to access data of their own carrier only, and not be able to access other carriers’ data. They should not be able to see internal data, like overall capacities of loading points. Therefore you must be very careful and restrictive when assigning roles and authorizations to this kind of user.

SAP Dock Appointment Scheduling delivers special roles for this: Appointment Planner for Carrier in Dock Appointment Scheduling (/SCWM/DAS_EXT_CARR_PLANNER).

This role contains only one Web Dynpro screen in the menu, Maintain Appointments – Textual (/SCWM/DSAPP_LIST). This screen allows the appointment planners for carriers to view and create appointments. The Web Dynpro application Direct Access to Appointment – Textual (/SCWM/DSAPP_MAINT) is also available, but it is not visible in the user menu, as it is started indirectly from the Maintain Appointments – Textual screen.

The role also contains very limited number of authorization objects.

RecommendationWe highly recommend that you define, in the roles, the loading points for which a user may view or create appointments. You can do this in the authorization field Loading Point (/SCWM/DSLP) in the authorization objects Loading Appointment (/SCWM/DSAP) and Slot (/SCWM/DSSL).

If the carrier access the scenario using NW gateway should is used and not the using Web Dynpro UIs, then remove the web dynpro applications from your copy of /SCWM/DAS_EXT_CARR_PLANNER (remember the rule that only minimal authorizations should be granted). In this scenario in addition the role /SCWU/DAS_CARRIER_ACCESS has to be used in the gateway system.

In addition, the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS) is very important. It is available on the authorization objects Loading Appointment and Slot. For appointment planners for carriers, set this field to Scope for an Appointment Planner for Carrier. This ensures that this user can create and view appointments only for the carrier that is assigned to him or her. Otherwise such a user could create appointments for any carrier.

For more information, see the SAP Dock Appointment Scheduling documentation at help.sap.com/ewm92

Application Help SAP Library . In SAP Library, choose SAP Extended Warehouse Management (SAP EWM) SAP Dock Appointment Scheduling Collaboration with Carriers .

Warehouse Management Monitor: Authorization to Display Batch Execution Data

In the warehouse management monitor (/SCWM/MON), you can execute selections using batch jobs. You can view the results in the warehouse management monitor. During the selection, the system performs the normal authorization checks and selects and stores only data for which the user has authorization in the data containers for the warehouse management monitor. But if these data containers are then displayed by other users, the system does not perform these authorization checks. Therefore, you should only grant the authorization to display batch execution data for monitor nodes or users where these checks are not critical.

The authorization object used for the authorization to display batch execution data in the warehouse management monitor is /SCWM/DATC. For more information about this authorization object, see the

32



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fewm92

documentation of authorization object /SCWM/DATC and the documentation of the warehouse management monitor in SAP Library for SAP EWM under SAP Extended Warehouse Management (SAP EWM) MonitoringWarehouse Management Monitor .

6.1 Authorization Objects

A set of authorization objects is available in SAP Extended Warehouse Management (SAP EWM).

Authorization objects enable you to define complex authorizations by grouping up to 10 authorization fields in an AND relationship to check whether a user is allowed to perform a certain action. To pass an authorization test for an object, the user must satisfy the authorization check for each field in the object.

NoteFor information about the authorization concept of SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP AS ABAP Authorization Concept .

Procedure

To gain an overview of the authorization objects for SAP EWM, proceed as follows:

1. Call the transaction for displaying active authorization objects (AUTH_DISPLAY_OBJECTS).

2. In the overview, expand the Authorizations Extended Warehouse Management subtree.

If you want to display the technical names of the authorization objects, choose Edit Technical namesTechnical names on .

3. If you want to get a detailed description, choose the Information pushbutton next to the authorization object you are interested in.

NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding the authorization objects for SAP Dock Appointment Scheduling, and especially the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS). See Critical Roles and Authorization Combinations in Network and Communication Security [page 39].

Some special basis authorization objects are as follows:

Table 13

Authorization Object Field Value Description

S_RFC ACTVTRFC_NAMERFC_TYPE

(16) Execute For example, to enable display of queue contents.

S_RFCACL RFC_SYSID

RFC_CLIENT

RFC_USER

(16) Execute Authorization check for RFC users, especially for trusted systems. This is required for Gateway Services. For




RFC_EQUSERRFC_TCODERFC_INFOACTVT

example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling

S_SERVICE SRV_NAMESRV_TYPE

<Value1>

<Value2>

This authorization object is automatically checked when external services are started. This is required for Gateway Services used by the SAP EWM. For example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling

6.2 Maintaining Authorizations

Using the SAP Extended Warehouse Management (SAP EWM) component, you can assign users to various standard user roles. For more information about Roles for Extended Warehouse Management (EWM), see SAP

Library for SAP Extended Warehouse Management (SAP EWM) 9.4 on SAP Help Portal at help.sap.com .

If you want to display the authorization objects in SAP EWM, on the SAP Easy Access screen, choose ToolsABAP Workbench Development Other Tools Authorization Objects Objects .

For more information, see the SAP Library for SAP Extended Warehouse Management (SAP EWM) 9.4 on SAP

Help Portal at help.sap.com General Functions Authorizations .

NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding roles for SAP Dock Appointment Scheduling. See Critical Roles and Authorization Combinations in Network and Communication Security [page 39].

6.3 Maintaining Authorizations for Integration with SAP Components

Procedure

Maintaining Authorizations for SAP Extended Warehouse Management (SAP EWM) – SAP ERP Integration


34





Using Standard Roles for SAP EWM – SAP ERP Integration

For the integration of SAP EWM and SAP ERP, use the authorization roles for the RFC destination users.

NoteFor more information about these roles, see the SAP EWM documentation under Roles for Extended Warehouse Management (EWM).

For the integration from an ERP to an EWM system, for example, the role/SCWM/ERP_EWM_INTEGRATION exists.

For the integration from EWM to an ERP system, the corresponding RFC users also require the proper

authorizations. For more information, see SAP Note 727839 .

In some cases, for example, for migration functions like transaction /SCWM/MIG_PRODUCT, the RFC enabled function module RFC_READ_TABLE is called on ERP side from EWM. For such scenarios, the corresponding RFC user requires this authorization. To avoid misuse, you should restrict the tables to be accessed to a minimum. You can therefore use the authorization objects S_TABU_NAM or S_TABU_DIS. For more information about which

applications require which table accesses, see SAP Note 1539105 .

If your grant the usage of RFC function RFC_READ_TABLE to an RFC user, it is very important that you restrict the tables that can be accessed to a minimum to avoid misuse.

Maintaining Authorizations for Data Transfer to SAP NetWeaver Business Warehouse


Limiting Authorizations for Extraction

NoteYou can exclude DataSources from the extraction to the SAP NetWeaver Business Warehouse (SAP NetWeaver BW). Data that is stored in the extraction structure of this DataSource cannot be transferred to SAP NetWeaver BW.

1. In Customizing for SAP EWM, choose Integration with Other SAP Components Data Transfer to Business Warehouse General Settings Limit Authorizations for Extraction .

2. Choose New Entries.

3. Choose a DataSource that you want to exclude from the extraction.

4. Choose the SAP NetWeaver BW system for which you want no more data for this DataSource to be extracted.

5. In the Ex. Extr. field, enter whether or not you want to exclude the DataSource from the extraction.

6. Save your entries.

7. Specify a transport request.

Maintaining Authorizations for Data Transfer between SAP EWM Shipping and Receiving (S&R) and SAP Dock Appointment Scheduling


SAP Dock Appointment Scheduling and S&R are two independent components. But it is also possible to integrate the components, for example, so that the system communicates appointment status changes in SAP Dock






Appointment Scheduling to S&R and appointment status changes in S&R to SAP Dock Appointment Scheduling. For more information, see the SAP EWM documentation under SAP Dock Appointment SchedulingIntegration with SAP EWM .

For integration between SAP Dock Appointment Scheduling and S&R, the system uses queued Remote Function Call (qRFC) technology.

Using Standard Roles for SAP Dock Appointment Scheduling to SAP EWM Integration

For the integration from SAP Dock Appointment Scheduling to S&R, the technical role /SCWM/DAS_TO_EWM_INTEGRATION is available. It contains the necessary authorizations to update the relevant S&R objects. The role does not contain any menu entries or transactions, as it is only a technical role for Remote Function Call (RFC) communication. You must assign this role to the SAP Dock Appointment Scheduling user or RFC user, depending on if you use RFC communication, with which the integration is done.

Authorizations and Roles for SAP DAS Collaborative Carrier Scenario

Dock Appointment Scheduling offers the feature Collaboration with Carriers using multiple UI technologies each

with different deployment and security options. See SAP Note 2065193 that contains recommendations for the different options and lists the respective prerequisites.

Maintaining RFC Authorizations for Internal Communication in SAP EWM

For RFC communication, users usually require the authorizations for authorization object S_RFC. As RFCs are potential security risks, you should be very restrictive in granting them.

In certain cases, SAP EWM also uses RFCs for internal purposes, for example for parallel processing or for asynchronous communication. For these purposes, no RFC authorizations have to be granted as these calls are within the SAP EWM system.

SAP EWM also uses specific RFC-enabled function modules, which are used to extract content from queued RFCs (qRFC). For example, these function modules are used to extract the warehouse number or delivery number from qRFCs.

These function modules do not perform data changes in SAP EWM and also do not return data to a caller. They are required for delivery processing and for displaying of message queue entries in the warehouse management monitor.

The function modules are in the following special function groups:

● /SCWM/CORE_MQ_REPLAY Message Queue Moni: Replay Functions

● /SCWM/CORE_RF_MQ_REPLAY Replay Function Modules for RF

● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries

● /SCWM/ERP_MQ_REPLAY Replay Function Modules - ERP Interface

● /SCWM/SR_MQ_REPLAY Replay Function Modules - S&R

● /SCWM/VAS_MQ_REPLAY Replay Function Modules for VAS

● /SCWM/WC_SERVICE_MQ_REPLAY Replay Function Modules for Workcenter

● /SCWM/WAVE_MGMT_MQ_REPLAY Replay Function Modules for Wave

If you use the message queue monitor node in the warehouse management monitor, you must add these function groups to authorization S_RFC. Use the activity Execute (16) and the Function Group (FUGR) type of RFC object.

For delivery and warehouse task processing, for example, confirming and creation of warehouse tasks, you must add the following function group to authorization S_RFC:

● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries

36




These authorizations are already in the standard roles in SAP EWM, so they are only relevant if you create your own roles.

6.4 Maintaining Authorizations for Enterprise Services

Accessing SAP functions via web services follows the standard SAP authorization concept. This concept is based on authorizations for specific authorization objects. The system checks for the required authorization for an authorization object during the execution of a web service. If a user does not have this authorization, the execution is terminated, and an error message is returned.

Enterprise services use standard authorization objects that are available for SAP Extended Warehouse Management (SAP EWM), including authorization default values for web services. In addition, you need the authorization S_SERVICE to start external services. To create and consume web services, you require the authorizations belonging to the role SAP_BC_WEBSERVICE_ADMIN as well as authorization for the Internet Communication Framework (S_ICF_ADMIN).

For more information about authorizations for web services, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services

Authorizations .




7 Session Security Protection

To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend activating secure session management.

We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session security for the clients using transaction SICF_SESSIONS. For more information, a list of the relevant profile parameters, and detailed instructions, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security User Authentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security Session Management on AS ABAP .

38


SAP® Extended Warehouse Management 9.4 Security GuideSession Security Protection

8 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the SAP Extended Warehouse Management (SAP EWM) component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP EWM component. Details that specifically apply to the SAP EWM component are described in the following topics:

● Communication Channel Security [page 40]

This topic describes the communication paths and protocols used by the SAP EWM.

● Network Security [page 43]

This topic describes the recommended network topology for the SAP EWM component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the SAP EWM component.

● Communication Destinations [page 44]

This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the SAP NetWeaver Security Guide under the following sections:


● Security Aspects for Connectivity and Interoperability Technologies

Web Dynpro User Interfaces

In EWM, Web Dynpro UI technology is used in several applications. For example, in Advanced Production Supply, Dock Appointment Scheduling, or Shipping Cockpit. The proposed usage is that these UIs are used within the company’s firewall.

For more information, see the NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP Web Dynpro ABAP Security Guide .

Collaborative Scenario using SAP Dock Appointment Scheduling

NoteThis is relevant only if you are using Dock Appointment Scheduling.

In a collaborative scenario, users from other companies, such as carriers, can access data from SAP Dock Appointment Scheduling. For example, carriers can create or view loading appointments. For this, such users require access the Dock Appointment Scheduling system from outside the company’s network.

SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security



If you use such a scenario, you must pay special attention to the network setup and zones or topology, for example, if firewalls, demilitarized zones, ports, should be used, and which ones.

The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/DAS_CARRIER_ACCESS_SRV. It also uses the general service /UI2/PAGE_BUILDER_PERS.

You can find information about relevant roles and authorization for this collaborative scenario in chapter Maintaining Authorizations for Integration with SAP Components.

For more information on how to secure a scenario with SAP NetWeaver Gateway, and the relevant authorizations and roles needed for using SAP NetWeaver Gateway, see the SAP NetWeaver Gateway Security Guide on SAP

Help Portal at SAP NetWeaver Gateway help.sap.com/nw SAP NetWeaver 7.5 SAP NetWeaver Library: Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Security Guide .

Mobile Access to Labor Demand Planning

Labor Demand Planning offers the possibility to access data from a mobile device. The proposed usage is that these mobile applications are used within the company’s firewall.

SAP Note 1894045 contains additional information about how these applications can be set up.

The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/LM_LABOR_DEMAND_PLANNING. It also uses the general service /UI2/PAGE_BUILDER_PERSFor more information on how to secure a scenario with SAP NetWeaver Gateway, and the relevant authorizations and roles needed for using SAP NetWeaver Gateway, see the SAP NetWeaver Gateway Security Guide on SAP

Help Portal at SAP NetWeaver Gateway help.sap.com/nw SAP NetWeaver 7.5 SAP NetWeaver Library: Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Security Guide .

If you are using the application outside of the company’s firewall, which is not the proposed usage, you should ensure that minimal authorizations are used for accessing the SAP NetWeaver Gateway and the SAP EWM system. Also, in such a case, you should consider the technical system landscape and setup proposals in the SAP NetWeaver Gateway Security Guide.

8.1 Communication Channel Security

Since communication channels transfer all kinds of your business data, they should be protected against unauthorized access. SAP offers general recommendations and technologies to protect your system landscape, based on SAP NetWeaver.

CautionYou should activate the Secure Network Communication (SNC) within all communication channels in SAP EWM to achieve a secure system landscape. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security Transport Layer Security Secure Network Communications (SNC) .

For a detailed description of all communication channels within the SAP EWM component, see SAP Service

Marketplace at service.sap.com/scm SAP SCM in Detail Technology Architecture Overview .

40






http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fscm

NoteFor more information about the communication security of SAP NetWeaver, see the SAP NetWeaver Security Guide under Network and Communication Security.

For more information about security aspects for connectivity and interoperability of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies.

The following table shows the communication channels used by SAP EWM, the protocol used for each connection, and the type of data transferred.

Table 14

Communication Channel Protocol Used Type of Data Transferred Application Relevance

Front-end client that uses SAP GUI for Windows for the application server

DIAG All application and customizing data

All

SAP ERP RFC and IDOC Master data and transaction data


SAP SCM RFC ATP data Not relevant for standalone Dock Appointment Scheduling

SAP SCM RFC Master data Not relevant for standalone Dock Appointment Scheduling

SAP GTS RFC GTS-relevant data Not relevant for standalone Dock Appointment Scheduling

SAP NetWeaver BW RFC Data sources Not relevant for standalone Dock Appointment Scheduling

SAP CRM RFC and IDOC Billing data, business partners


Warehouse Control Units or PLCs

RFC, IDOC (depending on whether or not SAP plant connectivity is used)

Transaction data Not relevant for standalone Dock Appointment Scheduling

Legacy systems RFC, IDOC, HTTP, File Depends on legacy scenario All

SAP Plant Connectivity RFC Application Data Not relevant for standalone Dock Appointment Scheduling

Frontend client using a web browser or SAP NetWeaver Business Client.

HTTP/HTTPS All application and customizing data

All




Communication Channel Protocol Used Type of Data Transferred Application Relevance

SAP NetWeaver Gateway (in case a dedicated Gateway system is used)

RFC Depends on scenario/configuration.

Depends on scenario.

SAP Transportation Management

WebService / RFC Application Data Not relevant for standalone Dock Appointment Scheduling

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.

For more information, see the SAP NetWeaver Security Guide under Network and Communication SecurityTransport Layer Security .

Note that many of the entries depend on the configuration and how SAP EWM is used. For example, usage of SAP GTS, SAP NetWeaver BW, legacy systems, and further components is optional and depends on how the system is used. Also, if parts of underlying components (SAP SCM Basis, SAP NetWeaver) are used they may also offer further communication channels.

For more detailed information about external messages that can be sent to and from SAP EWM, see the appendix

of the EWM Application Operations Guide at service.sap.com/instguides SAP Business Suite Applications SAP SCM SAP EWM Using SAP EWM 9.4 Application Operations Guide for SAP EWM 9.4 .

Core Interface (CIF) – SAP ERP

NoteThis is not relevant for Dock Appointment Scheduling.

The integration of SAP EWM and SAP ERP is technically based on CIF. Since CIF is technically based on the RFC provided by SAP NetWeaver, we strongly recommend that you consult the SAP NetWeaver Security Guide regarding communication channel security.

You should at least enable Secure Network Communication (SNC) while configuring the RFC destination for your SAP EWM – SAP ERP integration.

NoteFor more information about the integration of SAP EWM and SAP ERP, see SAP Help Portal at

help.sap.com/scm SAP SCM Server SAP Enhancement Package 3 for SAP SCM 7.0 Application Help SAP Library . In SAP Library, choose SAP Advanced Planning and Optimization (SAP APO)Integration via Core Interface (CIF) Technical Integration .

42




http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fscm%20

8.2 Unified Connectivity

If your SAP EWM system can be accessed remotely using Remote Function Calls (RFCs), you can significantly increase protection by using the Unified Connectivity (UCON) administration framework.

Generally, external access to the function modules using RFCs is controlled by special authorization checks and the corresponding roles with purpose-specific assignments to users. UCON also provides a simple but comprehensive way of controlling which remote function modules (RFMs) can be called by other systems: an RFM can only be called externally if it is assigned to a Communication Assembly (CA).

External access is blocked for all RFMs not assigned to a CA. In this way, it is possible to control and restrict external access to RFMs independently from the user context.

For more information, see SAP Library for SAP NetWeaver on SAP Help Portal at help.sap.com/nw . In SAP Library, choose Function-Oriented View Application Server Application Server Infrastructure Functions and Tools of SAP NetWeaver Application Server Connectivity Components of SAP Communication TechnologyUnified Connectivity .

8.3 Network Security

Your network infrastructure is important in protecting your system. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.

We offer general recommendations to protect your system landscape, based on SAP NetWeaver.

RecommendationFor information about network security for SAP NetWeaver, see the SAP NetWeaver Security Guide under Network and Communication Security.

A minimum security demand for your network infrastructure is the use of a firewall for all your services provided over the Internet.

A more secure variant is to protect your systems (or groups of systems) by locating the different groups in different network segments, each protected with a firewall against unauthorized access. External security attacks can also come from inside, if the intruder has already taken over control of one of your systems.

NoteFor more information about the technical components of your SAP Extended Warehouse Management (SAP

EWM) component, see SAP Service Marketplace at service.sap.com/scm SAP SCM in Detail Technology .

For more information about access control using firewalls, see the SAP NetWeaver Security Guide under Network and Communication Security Using Firewall Systems for Access Control .

Ports

SAP EWM runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP AS ABAP Ports .






For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which can be found using the Search field on SAP Developer Network at

sdn.sap.com/irj/sdn/security .

8.4 Communication Destinations

CautionIf not implemented and used with care, users and authorizations for connection destinations can cause serious security flaws.

Follow the following rules for connection users and authorizations, as follows:

● Choose user type: <system>

● Assign only the minimum required authorizations to the user.

● Choose a secure and secret password for the user.

● Store only connection user logon data for users of type system.

● Choose trusted system functionality whenever possible, rather than storing connection user logon data.


This is not relevant if the system does not use communication to external systems.

The following table shows an overview of the communication destinations used by the SAP Extended Warehouse Management (SAP EWM) component:

Connection Destinations

Table 15

Destination Delivered Type User, Authorizations Description

<EWM name>CLNT<client>

No RFC – ERP Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes

447543 and 727839

.

For more information, see Customizing for SCM Basis under

Integration Basic Settings for Creating the System

Landscape Assign RFC Destinations to Various Application

Cases .

EWM to SAP R/3 or SAP ERP

No RFC – ERP (qRFC) Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes

For more information, see Customizing for Extended Warehouse Management under

Interfaces ERP

Integration General

Settings Control for

44



http://help.sap.com/disclaimer?site=http%3A%2F%2Fsdn.sap.com%2Firj%2Fsdn%2Fsecurity




447543 and 727839

.

RFC Queue and Customizing for SCM Basis under

Integration Basic Settings for Creating the System

Landscape Assign RFC Destinations to Various Application

Cases .

EWM to SAP APO (APO instance)

No RFC – ERP Use the Profile Generator (transaction PFCG) to define an appropriate profile, and see SAP Notes

447543 and 727839

.

For more information, see Customizing for Extended Warehouse Management under

Goods Receipt

Process Slotting

General SettingsChange Information for

APO Instances .

EWM to Third party geocoding application

No RFC None For more information, see Customizing for SAP NetWeaver under

General Settings

Set Geocoding or SAP Library for SAP EWM on SAP Help Portal at

help.sap.com/ewm . In SAP Library choose

SCM Basis SCM

Basis Master Data

Location .

EWM to Non-SAP Systems

No RFC – ERP None For more information, see Customizing for Extended Warehouse Management under

Interfaces Non-

SAP Systems

Connect Subsystem .

EWM to SAP GTS No RFC – None For more information, see Customizing for Extended Warehouse Management under

Interfaces GTS

Integration Basic










Settings of GTS

Integration .

EWM to SAP NetWeaver Business Warehouse (SAP NetWeaver BW)

No RFC – ERP None For more information, see Customizing for SAP ERP under

Integration with Other SAP

Components Data Transfer to Business

Warehouse and Customizing for Extended Warehouse Management under

Interfaces SAP Business

Information

Warehouse .

EWM to SAP Plant Connectivity

No RFC None This function is only available if you implement the sample implementation in BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT). For more

information, see Customizing for Extended Warehouse Management under

Business Add-Ins (BAdIs) for Extended Warehouse

Management Master

Data Work CenterAdjust User Interface

for Work Center BAdI: Determination of HU Weight Using

Scale .

SAP EWM to SAP TM No WebService/RFC None For more information, see SAP Service Marketplace at

service.sap.com/sc

m SAP SCM in

46



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fscm%20

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fscm%20


Detail

Warehousing Information on Extended Warehouse Management in SAP

SCM Solution

Manager Content .

NoteFor more information about communication destinations of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies.




9 Internet Communication Framework Security

You should only activate those services that are needed for the applications running in your system. For SAP EWM the following main services are available:

● /sap/bc/gui/sap/its/scwm/rfui○ This service can be used, for example, to allow warehouse workers to use transaction/SCWM/RFUI from

mobile applications. The service can be accessed from the SAP console or by using ITS mobile. For more information, see the SAP EWM documentation under Radio Frequency Framework Work Processing Using Radio Frequency Resource Management Using Radio Frequency .

○ /sap/bc/webdynpro/scwm/○ In this path various web dynpro UIs for SAP EWM as well as for Dock Appointment Scheduling are

contained.

○ /sap/bc/ui5_ui5/scwu/○ This contains SAPUI5 user interfaces which are for example used for LDP (labor demand planning)

or Collaborative Carrier Scenario for Dock Appointment Scheduling

○ /sap/opu/odata/scwm/○ This contains ODATA Gateway services which are, for example, used for LDP (labor demand

planning) or Collaborative Carrier Scenario for Dock Appointment Scheduling

○ /sap/opu/odata/ui2○ Contains services which are partly used from SAP EWM. For example, PAGE_BUILDER_PERS is used

for LDP and DAS Carrier Collaboration.

○ /sap/bc/srt/xip/scwm○ Contains services which are used for XI communication.

○ /sap/bc/srt/rfc/scwm○ Contains services which are used for RFC communication. For example, RFID_AII_EWM which is

used to exchange RFID information with SAP Auto-ID Infrastructure (SAP AII).

Use the transaction SICF to activate this service.

If your firewalls use URL filtering, also note the URLs used for the service and adjust your firewall settings accordingly.

For more information, see the SAP NetWeaver Documentation under SAP NetWeaver Library: Function-Oriented View Application Server Application Server Infrastructure Connectivity Components of SAP Communication Technology Communication Between ABAP and Non-ABAP Technologies Internet Communication Framework Development Server-Side Development Creating and Configuring ICF ServicesActivating and Deactivating ICF Services .

For more information about ICF security, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies RFC/IFC Security Guide .

48


SAP® Extended Warehouse Management 9.4 Security GuideInternet Communication Framework Security

10 Application-Specific Virus Scan Profile (ABAP)

SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and the file types that are checked or blocked, you can use virus scan profiles. Different applications rely on default profiles or application-specific profiles.

To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles.

For more information, see SAP Library for SAP NetWeaver 7.5 at help.sap.com//nw . In SAP Library, choose SAP NetWeaver SAP NetWeaver Library: Function-Oriented View Security Security Developer Documentation Secure Programming Secure Programming – JavaSecure Programming SAP Virus Scan

Interface and see SAP Note 1693981 (Unauthorized modification of displayed content).

The SAP Extended Warehouse Management (SAP EWM) component also uses the virus scan interface, for example, during file upload to the SAP EWM system.

SAP® Extended Warehouse Management 9.4 Security GuideApplication-Specific Virus Scan Profile (ABAP)



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2F%2Fnw


11 Data Storage Security

The data storage security of SAP NetWeaver and components installed on that database is described in detail in the SAP NetWeaver Security Guide.

NoteFor more information about the data storage security of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for the Operating System and Database Platforms.

In general, all business data of the SAP EWM component is stored in the system database. If SAP liveCache is used, some business data is also stored there. This business data is protected by the authorization concept of SAP NetWeaver and SAP EWM.

In some special cases, business-relevant data is stored elsewhere (for example, in a file system).

Using Logical Path and Filenames to Protect Access to the File System


The SAP EWM component may save data in files in the file system and may read data from the file system. Therefore, it is important explicitly to provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that does not match a stored mapping, then an error occurs.

In some cases fixed logical file names are also used in applications which cannot be changed.

The following lists show the logical filenames and paths used by SAP EWM and the programs to which they apply.

Logical Filenames and File Paths Used in SAP EWM

To enable the validation of physical filenames, the following logical filenames have been created:

● EWM_PI_DOWNLOADTransactions/programs using this logical filename:

○ Transaction /SCWM/PI_DOWNLOAD○ Program /SCWM/R_PI_STOCK_DWNLDParameters and format used in this context:

○ <PARAM_1>=Warehouse number(CHAR 4)

○ <PARAM_2> =Counter (NUM2)

Logical file path used:

○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical filename.

● EWM_PI_UPLOAD

50


SAP® Extended Warehouse Management 9.4 Security GuideData Storage Security

Transactions/programs using this logical filename:

○ Transaction /SCWM/PI_UPLOAD○ Program /SCWM/R_PI_FILEUPLDParameters and format used in this context:

○ <PARAM_1> = Warehouse number (CHAR4)

○ <PARAM_2> = Creation Date (DATS8)

○ <PARAM_3> = Counter (NUM2)


○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical filename.

● EWM_STOCK_UPLOADTransactions/programs using this logical filename:

○ Transaction /SCWM/ISU○ Program /SCWM/R_INITIALSTOCKUPLOADParameters and format used in this context:

○ <PARAM_1> = Warehouse number (CHAR4)


○ EWM_STOCK_UPLOAD_PATH● EWM_STOBIN_UPLOAD


○ Transaction /SCWM/SBUP○ Program /SCWM/TLAGP_UPLOADLogical file path used:

○ EWM_STOBIN_UPLOAD_PATH● EWM_STOBIN_SORT_UPLOAD


○ Transaction /SCWM/SRTUP○ Program /SCWM/TLAGPS_UPLOADLogical file path used:

○ EWM_STOBIN_SORT_UPLOAD_PATH● EWM_MS_RESULT


○ Transaction /SCWM/MS_RESULT○ Program /SCWM/R_MS_RESULT_READParameters and format used in this context:

○ <PARAM_1>=Warehouse number (CHAR4)


○ EWM_GLOBAL_PATH




Comment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.

● EWM_ELS_FRML● EWM_ELS_ST● EWM_ELS_STE● EWM_ELS_SEQ● EWM_ELS_ASS


○ Transaction /SCWM/ELS_UPLOAD○ Program /SCWM/ELS_UPLOADLogical file path used:

○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.

● EWM_MS_RESULTTransactions/programs using this logical filename:

○ Transaction /SCWM/PI_SAMP_UPDATE○ Program /SCWM/PI_SAMP_UPDATE_RESULTParameters and format used in this context:

○ <PARAM_1>=Warehouse number (CHAR4)


○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name

● EWM_PRODUCT_UPLOADTransactions/programs using this logical filename:

○ Transaction /SCWM/MIG_PRODUCT○ Program /SCWM/R_MIG_PRODUCTLogical file path used:

○ EWM_PRODUCT_UPLOAD_PATH● EWM_PACKSPEC_UPLOAD


○ Transaction SCWM/MIG_PRODUCT and /SCWM/IPU○ Program /SCWM/R_MIG_PRODUCT and /SCWM/R_PS_DATA_LOADLogical file path used in this context:

○ EWM_PACKSPEC_UPLOAD_PATH● EWM_PI_COMPL_UPLOAD


52



○ Transaction /SCWM/MIG_PI_COMPL○ Program /SCWM/R_MIG_PI_COMPLLogical file path used in this context:

○ EWM_PI_COMPL_UPLOAD_PATH

Activating the Validation of Logical Path and Filenames

Note that this only applies to logical filenames that are not fixed.

These logical paths and filenames are specified in the system for the corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which paths are being used by your system, you can activate the corresponding settings in the security audit log.

For more information, see the following:

● The SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Application Server Application Server ABAP Other Services Services for Application Developers Logical File Names

● The SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide Special Topics Protecting Access to the File System Using Logical Path and File Names

● The SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View SecuritySystem Security System Security for SAP NetWeaver AS ABAP Only Security Audit Log




12 Data Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any information on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any information or recommendations with regard to additional features that would be required in a particular environment. Decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature.

SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data.

SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.

Glossary

Table 16

Term Definition

Personal data Information about an identified or identifiable natural person.

Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.

Blocking A method of restricting access to data for which the primary business purpose has ended.

Deletion Deletion of personal data so that the data is no longer usable.

Retention period The time period during which data must be available.

End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.

Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs:

● Access control: Authentication features as described in the User Administration and Authentication section (see User Administration and Authentication [page 23])

54


SAP® Extended Warehouse Management 9.4 Security GuideData Protection

● Authorizations: Authorization concept as described in the Authorizations section (see Authorizations [page 30])

● Read access logging: as described in the Read Access Logging section (see Read Access Logging [page 60])

● Transmission control/Communication security: as described in the Network and Communication Security section (see Network and Communication Security [page 39]) and the Security Aspects of Data Flow and Processes section (see Security Aspects of Data Flow and Processes [page 17])

● Input control/Change logging: Change logging is described in Security-Relevant Logging and Tracing

● Availability control as described in:

○ Data Storage Security section (see Data Storage Security [page 50])

○ SAP NetWeaver Database Administration SAP Library documentation

○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented View Solution Life Cycle Management SAP Business Continuity

● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept.

CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.

Configuration of Data Protection Functions

Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.

Additional industry-specific, scenario-specific or application-specific configuration might be required.

For information about the application-specific configuration, see the application-specific Customizing in SPRO.

12.1 Deletion of Personal Data

SAP Extended Warehouse Management (SAP EWM) can process data, for example, personal data that is subject

to the data protection laws applicable in specific countries as described in SAP Note 1825544 . The SAP Information Lifecycle Management (SAP ILM) component supports the entire software lifecycle including the storage, retention, blocking, and deletion of data. SAP EWM uses SAP ILM to support the deletion of personal data as described in the following sections. SAP delivers an end of purpose check (EoP check) for SAP EWM. All applications register an EoP check in the Customizing settings for the blocking and deletion of business partners. For information about the Customizing of blocking and deletion in SAP EWM, see Configuration: Simplified Blocking and Deletion below.

End of Purpose Check

An end of purpose check (EoP check) ensures data integrity in case of potential blocking. The EoP check in SAP EWM checks whether any dependent data for a certain business partner exists in relevant SAP EWM tables. If dependent data exists and the data is still required for business activities (that is, EoP has not been reached and the retention time for the document referring to the business partner is not over), the system does not block the business partner. If you want to block the data before EoP, you must delete the document and also change the retention times for this document, or apply any other customer-specific solution. Even if the object is deleted or





archived, the retention times maintained for the SAP ILM live policy still apply. SAP EWM stores the start of the retention time for all business partners of any completed document in the database, which is used during the EoP check to determine whether the retention time is over.

Integration with Other Solutions

In the majority of cases, different installed applications run interdependently. An example of an application that uses central master data is an SAP ERP system that transfers inbound deliveries to SAP EWM. In this case, the vendor of the inbound delivery is contained as a business partner (ship-from role) in the inbound delivery in SAP EWM.

Relevant Application Objects and Available Deletion Functionality

The deletion of objects is usually done using either archiving services or special functions. For more information,

see SAP Library for SAP Extended Warehouse Management on SAP Help Portal at help.sap.com/ewm . In SAP Library, choose Archiving in Extended Warehouse Management (SCM-EWM) .

We recommend that you view the SAP EWM application operations guide. There, regular steps, such as archiving or deletion, are described together with proposals on how and when they should be executed.

Table 17

Application Detailed Description Provided Deletion Functionality

EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request

Business partner data is stored in warehouse requests. For example, in the Ship To and Ship From fields in the warehouse request header or as owner and entitled at item level in the partner data.

Deletion of the objects can be done using the archiving services. The archiving objects are:

● DLV_INBInternal warehouse requests (inbound delivery)

● DLV_OUTInternal warehouse requests (outbound delivery)

● DLV_REQWarehouse requests from external systems

● DLV_PRODProduction material request

56





EWM Labor Management In Labor Management, the Processor field is written in several SAP EWM documents. For example, the warehouse order and executed workload.


● WME_WOWarehouse order

● WME_EWLExecuted workload

● WME_EPDPerformance document

● WME_ILTIndirect labor task

EWM Shipping and Receiving In Shipping and Receiving, in the transportation unit object the field for the carrier may contain a business partner.


● WME_TUTU activity

● WME_VEHVehicle activity

EWM Value Added Services If value added services (VAS) are used, in the corresponding VAS order the field for entitled and owner may contain a business partner.

Deletion of the objects can be done using the archiving services. The archiving object is WME_VAS (VAS

order).

EWM Proof of Delivery If proof of delivery is used (transaction /SCWM/POD_IMP), then this object may

contain business partners in the fields for carrier, entitled, or processor.

Deletion can be done using transaction /SCWM/POD_IMP.

EWM Stock Data In SAP EWM, stock data can contain business partner data. For example, in fields for owner or entitled.

Deletion is not possible directly. The corresponding stock has to be cleared so that no stock exists any more. Report /LIME/BACKGROUND_DELETE_EXEC is

available.

EWM Dock Appointment Scheduling In dock appointments in SAP Dock Appointment Scheduling, the field for the carrier may contain a business partner.

Deletion is possible using report /SCWM/R_DAS_DELETE.

Transportation Management in EWM In the shipment and freight document objects, the business partner is contained.


● TM_SHP





Shipment

● TM_FRDFreight document

EWM Warehouse Billing In Warehouse Billing, snapshots can contain a business partner.

Billing measurement (BOPF object /SCWM/BM) can be deleted by archiving

using archiving object EWM_WBM.

Billing measure request (BOPF object /SCWM/WB_BMR) can be deleted using

deletion report /SCWM/WB_WBMR_DELETION.

Relevant Application Objects and Available EoP Functionality

Table 18

Application Implemented Solution (EoP or Where-Used Check)

Further Information

EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request

An EoP check is implemented for the business partner object.

An EoP check is done for the following documents:

● Outbound delivery request

● Outbound delivery order

● Outbound delivery

● Inbound delivery notification

● Inbound delivery

● Production material request

EWM Labor Management An EoP check is implemented for the business partner object.


● Executed workload

● Employee performance document

● Warehouse order

● Indirect labor task

For indirect labor tasks, the data is stored using order document management (ODM).

The ODM data type is ILT. The corresponding header component is ILT with structure /SCWM/S_ILT_ODM.

EWM Shipping And Receiving An EoP check is implemented for the business partner object.


● Transportation unit

● Vehicle

● Transportation unit activity

58



Application Implemented Solution (EoP or Where-Used Check)

Further Information

● Vehicle activity

EWM Value Added Services An EoP check is implemented for the business partner object.

An EoP check is done for VAS documents.

The data is stored using ODM. The ODM data type is VASO. The corresponding item component is VASI with structure /SCWM/S_VAS_ODM_ITM.

EWM Proof of Delivery A where-used check (WUC) is implemented for the business partner object.

A WUC check is done for the SCWM/POD database table.

EWM Stock Data A WUC is implemented for the business partner object.

● /SCWM/STOCK_IW01● /SCWM/STOCK_IW02● /SCWM/STOCK_IW03● /SCWM/STOCK_IW04

EWM Dock Appointment Scheduling A WUC is implemented for the business partner object.

A WUC check is done for the /SCWM/D_DSAPP database table.

Transportation Management in EWM An EoP check is implemented for the business partner object.


● Freight order

● Shipment

The data is stored using ODM, as follows:

● For shipments the ODM data type is TMSH. The corresponding header component is TSHD with structure /SCMB/TMDL_ODM_SHP_HDR_STR.

● For freight documents the ODM data type is TMFR. The corresponding header component is TMFH with structure /SCMB/TMDL_ODM_FRD_HDR_STR.

Transportation Management in EWM Warehouse Billing

An EoP check is implemented for the business partner object.

An EoP check is done for warehouse billing measurement documents.

Process Flow

Before archiving data, you must define residence times and retention periods in SAP ILM.

You choose whether data deletion is required for data stored in archive files or data stored in the database, also depending on the type of deletion functionality available.

You do the following:




● Run transaction IRMPOL and maintain the required residence and retention policies for the central business partner (ILM object: CA_BUPA).

● Run transaction IRMPOL and maintain the retention policies for the SAP ILM objects of the SAP EWM application:

○ DLV_INB (inbound delivery)

○ DLV_OUT (outbound delivery)

○ DLV_PROD (production material request)

○ DLV_REQ (delivery request)

○ EWM_WBM (warehouse billing measurement)

○ LIME_PI (physical inventory document)

○ TM_FRD (freight order)

○ TM_SHP (shipment)

○ WME_DOOR (door)

○ WME_EPD (employee performance document)

○ WME_EWL (executed workload)

○ WME_HU (handling unit)

○ WME_ILT (indirect labor task)

○ WME_TO (warehouse task)

○ WME_TU (transportation unit activity)

○ WME_VAS (value added service)

○ WME_VEH (vehicle activity)

○ WME_WAVE (wave)

○ WME_WO (warehouse order)

● Run transaction BUPA_PRE_EOP to enable the EoP check function for the central business partner.

● Run transaction IRMPOL and maintain the required residence and retention policies for the customer master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).

● Run transaction CVP_PRE_EOP to enable the EoP check function for the customer master and vendor master in SAP ERP.

● Business users can request unblocking of blocked data by using transaction BUP_REQ_UNBLK.

● If you have the necessary authorizations, you can unblock data by running transaction BUPA_PRE_EOP and CVP_UNBLOCK_MD.

● You delete data by using transaction BUPA_PRE_EOP for the ILM objects of SAP EWM.

For information about how to configure blocking and deletion for SAP EWM, see Configuration: Simplified Blocking and Deletion below.

Configuration: Simplified Blocking and Deletion

You configure the settings related to the blocking and deletion of business partner master data in Customizing for Cross-Application Components under Data Protection.

● Define the settings for authorization management in Customizing for Cross-Application Components under Data Protection Authorization Management .

60



● Define the settings for blocking in Customizing for Cross-Application Components under Blocking and Unblocking Business Partner .

You configure the settings related to the blocking and deletion of customer and vendor master data in Customizing.

12.2 Read Access Logging

If no trace or log that records which business users have accessed data is stored, it is difficult to track the persons responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data, for example, of a business partner, and in which time frame.

In RAL, you can configure which read-access information to log and under which conditions. For more information

about RAL, see SAP Library for SAP NetWeaver 7.5 at help.sap.com//nw . In SAP Library, choose SAP NetWeaver SAP NetWeaver Library: Function-Oriented View System Security System Security for SAP NetWeaver Application Server ABAP Only Read Access Logging .




http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2F%2Fnw

13 Security for Additional Applications

Geocoding


The SAP Extended Warehouse Management (SAP EWM) component can, in some cases, make use of third party geocoding applications, for example, PTV eServer. The software could be used, for example, to calculate geographical information for the locations or distances for transportation lanes. To connect to the third party software, this software may require an RFC destination on the SAP EWM side. This RFC is described in the Communication Destinations section (see Communication Destinations [page 44]).

For more information on geocoding, see SAP Library for SAP EWM on SAP Help Portal at help.sap.com/ewm . In SAP Library, choose SCM Basis SCM Basis Master Data Location . For any security issues regarding the third party application, for example, PTV eServer software, see the third party documentation.

SAP Plant Connectivity for Scale Integration

The SAP EWM component can, in some cases, integrate an external scale. The software could be used, for example, to calculate the weight of a handling unit. In BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT), a sample implementation exists for this. In this example, the system uses SAP Plant Connectivity to integrate an external scale. This software may require an RFC destination on the SAP EWM side to connect to SAP Plant Connectivity. For more information, see Communication Destinations [page 44].

For more information on SAP Plant Connectivity, see SAP Help Portal at help.sap.com/pco and the security

information for SAP Plant Connectivity on SAP Service Marketplace at service.sap.com/securityguidesSAP Business Suite Applications SAP Manufacturing Security Guide Plant Connectivity 2.2 .

62


SAP® Extended Warehouse Management 9.4 Security GuideSecurity for Additional Applications


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fpco

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurityguides

14 Enterprise Services Security

The following chapters in the SAP NetWeaver Security Guide are relevant for all enterprise services delivered with SAP Extended Warehouse Management:

● User Administration and Authentication


● SAP NetWeaver Process Integration Security Guide

● Security Guide Web Services

● Security Aspects for Web Services

● Security Guides for the Operating System and Database Platforms

● Security Aspects for Lifecycle Management

● Security Guides for the AS ABAP

● Security Guides for the AS Java

For more information about special security requirements for web services, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services .

SAP® Extended Warehouse Management 9.4 Security GuideEnterprise Services Security



15 Other Security-Relevant Information

You can find other security-relevant information for the following:

● User Frontend [page 64]

● Data Protection and Privacy [page 65]

15.1 User Frontend

To use the web browser as a user front end, you must first activate Java script (Active Scripting), to ensure a working user interface. This could, however, conflict with your security policy regarding web services.

SAP NetWeaver Business Client

SAP NetWeaver Business Client is the proposed UI for using Web Dynpro applications, for example, from SAP Dock Appointment Scheduling, Transit Warehousing, or Shipping Cockpit in SAP EWM.

For more information about SAP NetWeaver Business Client, see SAP Note 900000 .

See also the Security Guide for SAP NetWeaver Business Client on SAP Help Portal at help.sap.com/nw-

uiaddon/ Security Information Security Guide .

Making Browser Settings for Easy Graphics Framework (EGF)


If you work with Microsoft Internet Explorer in the Easy Graphics Framework (EGF), you must have installed Microsoft Internet Explorer version 5 or higher.

For more information about the security settings, see the SAP EWM documentation under Monitoring Easy Graphics Framework .

RF Device as a User Frontend


To use an RF device as a user front end, you can use a mobile PC running SAP Front End, or a character-based device using SAP Console. SAP Console is part of the SAP Front End installation. In addition, a third-party Telnet server is necessary. For any security issues regarding the Telnet server software, consult the third-party software documentation.

For more information about SAP Front End, see SAP Service Marketplace at service.sap.com/instguidesSAP NetWeaver SAP NetWeaver 7.5 Installation 4 - Installation - Clients SAP Front End Installation Guide .

64


SAP® Extended Warehouse Management 9.4 Security GuideOther Security-Relevant Information


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw-uiaddon%2F

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnw-uiaddon%2F


SAP Dock Appointment Scheduling

NoteThis is relevant only if you are using Dock Appointment Scheduling.

If you use the Web Dynpro applications Create Time Slots in Graphical View, Change Time Slots in Graphical View, or Maintain Appointments – Graphical, you must install Microsoft® Silverlight® version 5 or later. Note that this does not apply for the UI Dock Appointment Scheduling for Carrier as this uses SAPUI5.

Access from UIs using OData and Gateway

Labor Demand Planning and Dock Appointment Scheduling UI for Carriers use SAP NetWeaver Gateway to access SAP EWM data. For more information, see Network and Communication Security [page 39].

15.2 Data Protection and Privacy

You can use the RSCRDOMA report to determine tables where certain domains that contain person-related data are used. For example, the variant SAP&DS_USNAM shows all tables where standard domains for user names are used (if further domains exist and are used in your system, you can add them to the selection).

You can check which values the variant uses to filter the result (for example if you want less domains or more domains to be used).

Activities

You can execute the variant with the following selection criteria to filter the result and display a where-used list for domains in tables:

1. On the SAP Easy Access screen, choose Tools ABAP Workbench Development ABAP Editor .

2. Enter RSCRDOMA as the program name.

3. Select the Variants subobject and choose Display.

4. Enter the SAP&DS_USNAM variant.

5. Select the Values subobject and choose Display.

SAP® Extended Warehouse Management 9.4 Security GuideOther Security-Relevant Information



16 Security-Relevant Logging and Tracing

SAP systems keep various logs for system administration, monitoring, problem solving, and auditing purposes. Audits and logs are important for monitoring the security of your system and to track events, in case of problems.

NoteAuditing and logging for the SAP Extended Warehouse Management (SAP EWM) component is described in detail in the SAP NetWeaver Security Guide. For more information, see the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging .

Security Audit Log Triggered by Virus Scan Interface (VSI)

The class CL_VSI automatically creates entries in the Security Audit Log for infections and scan errors found, together with the following information:

● Profile

● Profile step allowing the detection of the scanner-group

● Kind of virus found, with internal virus ID of the scan engine, if available

● User name and time stamp

The messages logged are located in the message class VSCAN, using the system log messages BU8 and BU9 (created in SE92). The severities are set to High and Medium, respectively. The severity of the audit class is set to Miscellaneous. For more information, see Customizing for SAP NetWeaver under Application Server System Administration Virus Scan Interface .

Audit Information System (AIS)

Information on auditing and logging for the Audit Information System (AIS) is described in detail in the SAP NetWeaver Security Guide. For more information, see the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging Audit Information System (AIS) .

SAP EWM


SAP EWM auditing and logging is governed by the transactions and customizing activities listed in the table below.

Auditing and logging in SAP EWM is governed by change documents. Change documents have to be activated in Customizing before they can be used.

When change documents are activated and used in the system, each field in the SCM delivery documents is linked to change documents. The change documents provide information about which fields have been changed and about the old and new values. When you use change documents, you can define that the SCM system creates a log that shows which user has changed data in a delivery document and the specific time at which the change was made.

You can also run reports that retrieve archived documents. The reports are not separate transactions but they are contained in the SCM standard transactions, such as the Maintain Outbound Delivery Order transaction (the Open Advanced Search pushbutton is used).

66


SAP® Extended Warehouse Management 9.4 Security GuideSecurity-Relevant Logging and Tracing

The following Customizing activities are relevant for SAP EWM auditing and logging (in SCM Customizing, you can set – per document type of delivery – whether a change document is to be written for each delivery document. You can make these settings for all document categories in SAP EWM. In other words, you can make these settings for all delivery documents in SAP EWM, including posting changes and internal moves).

Table 19

Customizing Activity Path in Customizing for SAP EWM

Activation of change documents for inbound delivery Extended Warehouse Management Goods Receipt

Process Inbound Delivery Manual Settings Define

Document Types for Inbound Delivery Process (or:

Extended Warehouse Management Goods Receipt

Process Inbound Delivery Use Wizard to Define

Document Types for Inbound Delivery Process ). Select the Change Documents indicator.

Activation of change documents for expected goods receipt Extended Warehouse Management Goods Receipt


Document Types for Expected Goods Receipt (or

Extended Warehouse Management Goods Receipt

Process Expected Goods Receipt Use Wizard to Define

Document Types for Expected Goods Receipt ). Select the Change Documents checkbox

Activation of change documents for outbound delivery Extended Warehouse Management Goods Receipt


Document Types for Expected Goods Receipt

Activation of change documents for posting changes Extended Warehouse Management Internal Warehouse

Processes Delivery Processing Posting Changes

Manual Settings Define Document Types for Posting

Change Process (or: Extended Warehouse

Management Internal Warehouse Processes Delivery

Processing Posting Changes Use Wizard to Define

Document Types for Posting Change Process ). Select the Change Documents checkbox.

Activation of change documents for stock transfers Extended Warehouse Management Internal Warehouse

Processes Delivery Processing Stock Transfers Manual

Settings Define Document Types for the Stock Transfer

Process (or: Extended Warehouse Management

Internal Warehouse Processes Delivery Processing Stock

Transfers Use Wizard to Define Document Types for the

Stock Transfer Process ). Select the Change Documents checkbox.

The following transactions are relevant for SAP EWM auditing and logging (in each of these transactions, you can use the Open Advanced Search pushbutton on the screen for that transaction, to retrieve and display archived report data):

Table 20

Transaction Description Menu Path in the SAP EWM System




Maintain Inbound Delivery On the SAP Easy Access screen, choose Extended

Warehouse Management Delivery Processing Inbound

Delivery Maintain Inbound Delivery .

Maintain Expected Goods Receipt On the SAP Easy Access screen, choose Extended

Warehouse Management Delivery Processing Inbound

Delivery Expected Goods Receipt Maintain Expected

Goods Receipt .

Maintain Outbound Delivery Order On the SAP Easy Access screen, choose Extended

Warehouse Management Delivery Processing Outbound

Delivery Maintain Outbound Delivery Order .

Maintain Posting Change On the SAP Easy Access screen, choose Extended

Warehouse Management Delivery Processing Posting

Change Maintain Posting Change .

Maintain Internal Stock Transfer On the SAP Easy Access screen, choose Extended Warehouse Management Delivery Processing Maintain Internal Stock Transfer.

68



17 Services for Security Lifecycle Management

The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:

● Whether SAP Security Notes have been identified as missing on your system.

In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.

● Whether an accumulation of critical basis authorizations has been identified.

In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.

Whether standard users with default passwords have been identified on your system.

In this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including:

● Critical authorizations in detail

● Security-relevant configuration parameters

● Critical users

● Missing security patches

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend that you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to monitor a system landscape for compliance with predefined settings continuously, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties like the existence of a nontrivial Gateway configuration or making sure that standard users do not have default passwords.

Security in the Run SAP Methodology/Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP's knowledge base wherever appropriate.

SAP® Extended Warehouse Management 9.4 Security GuideServices for Security Lifecycle Management



More Information

For more information about these services, see:

Run SAP Roadmap, including the Security and the Secure Operations Standard: http://service.sap.com/runsap (See the Run SAP chapters 2.6.3, 3.6.3 and 5.6.3)

● EarlyWatch Alert: service.sap.com/ewa

● Security Optimization Service/Security Notes Report:service.sap.com/sos

● Comprehensive list of Security Notes:service.sap.com/securitynotes

● Configuration Validation: service.sap.com/changecontrol

● Run SAP Roadmap, including the Security and the Secure Operations Standard: service.sap.com/runsap

(See the Run SAP chapters 2.6.3, 3.6.3 and 5.6.3)

70


SAP® Extended Warehouse Management 9.4 Security GuideServices for Security Lifecycle Management

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fewa

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsos

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecuritynotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fchangecontrol

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Frunsap

18 Appendix

For more information about the security of SAP applications, see SAP Service Marketplace at service.sap.com/

security.

For more information about security guides of SAP applications, see SAP Service Marketplace at

service.sap.com/securityguide .

Related Information

For more information about topics related to security, see the links shown in the following table:

Quick Links to Related InformationTable 21

Content Quick Link on SAP Service Marketplace

(http://service.sap.com)

Master Guides, Installation Guides, Upgrade Guides, Solution Management Guides


Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

Network security service.sap.com/securityguide

Technical infrastructure service.sap.com/installnw74

SAP Solution Manager service.sap.com/solutionmanager

SAP Supply Chain Management service.sap.com/scm

SAP® Extended Warehouse Management 9.4 Security GuideAppendix



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurity.

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsecurity.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fnotes

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fplatforms


http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Finstallnw74

http://help.sap.com/disclaimer?site=http%3A%2F%2Fservice.sap.com%2Fsolutionmanager


www.sap.com

http://www.sap.com